521ab302300f2a48181d57b9c1151692cf3f26bc9c0cb6a49e23f2ce29dd99be

Analysis

max time kernel
118s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 00:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

30cbfa56439ef69b2ab1180b70bae570N.exe
Size

83KB
MD5

30cbfa56439ef69b2ab1180b70bae570
SHA1

59c92e8de942f2aedc42b21c23262bfbf08ce60a
SHA256

521ab302300f2a48181d57b9c1151692cf3f26bc9c0cb6a49e23f2ce29dd99be
SHA512

081fe1d7be5eda97616ba4350684d500ed46548c2b3a2d6de9426685dc5dd9dca4c2ad264003da793c9f9b70ef671aa3e301ef29c6ed2699ed525a9a14cb9fec
SSDEEP

1536:q4Gh0o4N0p3nouy8QbunMxVS3HgdoKjhLJh731xvsr:q4Gh0o4N05outQCMUyNjhLJh731xvsr

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{541E3594-4E38-48f0-9A05-36714396560B}	30cbfa56439ef69b2ab1180b70bae570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34435F91-447B-4391-B364-B3CB75C6051A}\stubpath = "C:\\Windows\\{34435F91-447B-4391-B364-B3CB75C6051A}.exe"	{785C67A0-7413-44d9-9A13-260B1E64C730}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}	{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}\stubpath = "C:\\Windows\\{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe"	{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD759F01-2DCE-4890-A34C-03F29BBA68F6}	{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD759F01-2DCE-4890-A34C-03F29BBA68F6}\stubpath = "C:\\Windows\\{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe"	{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}	{541E3594-4E38-48f0-9A05-36714396560B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}\stubpath = "C:\\Windows\\{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe"	{541E3594-4E38-48f0-9A05-36714396560B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}	{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7C662A3-F5E4-485d-BFAB-2731100D485E}	{34435F91-447B-4391-B364-B3CB75C6051A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}\stubpath = "C:\\Windows\\{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe"	{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4013AE7C-EC83-4d28-BBE8-CCFFE253DFDE}	{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{541E3594-4E38-48f0-9A05-36714396560B}\stubpath = "C:\\Windows\\{541E3594-4E38-48f0-9A05-36714396560B}.exe"	30cbfa56439ef69b2ab1180b70bae570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{785C67A0-7413-44d9-9A13-260B1E64C730}	{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{785C67A0-7413-44d9-9A13-260B1E64C730}\stubpath = "C:\\Windows\\{785C67A0-7413-44d9-9A13-260B1E64C730}.exe"	{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34435F91-447B-4391-B364-B3CB75C6051A}	{785C67A0-7413-44d9-9A13-260B1E64C730}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7C662A3-F5E4-485d-BFAB-2731100D485E}\stubpath = "C:\\Windows\\{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe"	{34435F91-447B-4391-B364-B3CB75C6051A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4013AE7C-EC83-4d28-BBE8-CCFFE253DFDE}\stubpath = "C:\\Windows\\{4013AE7C-EC83-4d28-BBE8-CCFFE253DFDE}.exe"	{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe

Executes dropped EXE 9 IoCs

pid	Process
448	{541E3594-4E38-48f0-9A05-36714396560B}.exe
1228	{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe
2648	{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe
3660	{785C67A0-7413-44d9-9A13-260B1E64C730}.exe
1000	{34435F91-447B-4391-B364-B3CB75C6051A}.exe
224	{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe
3400	{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe
4868	{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe
4724	{4013AE7C-EC83-4d28-BBE8-CCFFE253DFDE}.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3488-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3488-1-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0007000000023456-4.dat	upx
behavioral2/memory/448-5-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3488-7-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/448-8-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0014000000023450-11.dat	upx
behavioral2/memory/1228-14-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/448-13-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1228-15-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000f000000023392-16.dat	upx
behavioral2/memory/1228-19-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2648-20-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2648-22-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2648-26-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3660-27-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0015000000023450-25.dat	upx
behavioral2/memory/3660-29-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0010000000023392-32.dat	upx
behavioral2/memory/1000-35-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3660-33-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1000-36-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0017000000023450-39.dat	upx
behavioral2/memory/224-41-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1000-40-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/224-43-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0011000000023392-46.dat	upx
behavioral2/memory/224-47-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3400-49-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3400-50-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0007000000023474-53.dat	upx
behavioral2/memory/4868-56-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3400-54-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4868-57-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4868-61-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4724-62-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000e000000023352-60.dat	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe	{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe
File created	C:\Windows\{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe	{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe
File created	C:\Windows\{541E3594-4E38-48f0-9A05-36714396560B}.exe	30cbfa56439ef69b2ab1180b70bae570N.exe
File created	C:\Windows\{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe	{34435F91-447B-4391-B364-B3CB75C6051A}.exe
File created	C:\Windows\{785C67A0-7413-44d9-9A13-260B1E64C730}.exe	{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe
File created	C:\Windows\{34435F91-447B-4391-B364-B3CB75C6051A}.exe	{785C67A0-7413-44d9-9A13-260B1E64C730}.exe
File created	C:\Windows\{4013AE7C-EC83-4d28-BBE8-CCFFE253DFDE}.exe	{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe
File created	C:\Windows\{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe	{541E3594-4E38-48f0-9A05-36714396560B}.exe
File created	C:\Windows\{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe	{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30cbfa56439ef69b2ab1180b70bae570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34435F91-447B-4391-B364-B3CB75C6051A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{541E3594-4E38-48f0-9A05-36714396560B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{785C67A0-7413-44d9-9A13-260B1E64C730}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4013AE7C-EC83-4d28-BBE8-CCFFE253DFDE}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3488	30cbfa56439ef69b2ab1180b70bae570N.exe
Token: SeIncBasePriorityPrivilege	448	{541E3594-4E38-48f0-9A05-36714396560B}.exe
Token: SeIncBasePriorityPrivilege	1228	{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe
Token: SeIncBasePriorityPrivilege	2648	{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe
Token: SeIncBasePriorityPrivilege	3660	{785C67A0-7413-44d9-9A13-260B1E64C730}.exe
Token: SeIncBasePriorityPrivilege	1000	{34435F91-447B-4391-B364-B3CB75C6051A}.exe
Token: SeIncBasePriorityPrivilege	224	{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe
Token: SeIncBasePriorityPrivilege	3400	{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe
Token: SeIncBasePriorityPrivilege	4868	{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 448	3488	30cbfa56439ef69b2ab1180b70bae570N.exe	95
PID 3488 wrote to memory of 448	3488	30cbfa56439ef69b2ab1180b70bae570N.exe	95
PID 3488 wrote to memory of 448	3488	30cbfa56439ef69b2ab1180b70bae570N.exe	95
PID 3488 wrote to memory of 3396	3488	30cbfa56439ef69b2ab1180b70bae570N.exe	96
PID 3488 wrote to memory of 3396	3488	30cbfa56439ef69b2ab1180b70bae570N.exe	96
PID 3488 wrote to memory of 3396	3488	30cbfa56439ef69b2ab1180b70bae570N.exe	96
PID 448 wrote to memory of 1228	448	{541E3594-4E38-48f0-9A05-36714396560B}.exe	97
PID 448 wrote to memory of 1228	448	{541E3594-4E38-48f0-9A05-36714396560B}.exe	97
PID 448 wrote to memory of 1228	448	{541E3594-4E38-48f0-9A05-36714396560B}.exe	97
PID 448 wrote to memory of 2552	448	{541E3594-4E38-48f0-9A05-36714396560B}.exe	98
PID 448 wrote to memory of 2552	448	{541E3594-4E38-48f0-9A05-36714396560B}.exe	98
PID 448 wrote to memory of 2552	448	{541E3594-4E38-48f0-9A05-36714396560B}.exe	98
PID 1228 wrote to memory of 2648	1228	{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe	102
PID 1228 wrote to memory of 2648	1228	{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe	102
PID 1228 wrote to memory of 2648	1228	{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe	102
PID 1228 wrote to memory of 4832	1228	{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe	103
PID 1228 wrote to memory of 4832	1228	{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe	103
PID 1228 wrote to memory of 4832	1228	{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe	103
PID 2648 wrote to memory of 3660	2648	{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe	104
PID 2648 wrote to memory of 3660	2648	{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe	104
PID 2648 wrote to memory of 3660	2648	{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe	104
PID 2648 wrote to memory of 3536	2648	{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe	105
PID 2648 wrote to memory of 3536	2648	{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe	105
PID 2648 wrote to memory of 3536	2648	{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe	105
PID 3660 wrote to memory of 1000	3660	{785C67A0-7413-44d9-9A13-260B1E64C730}.exe	106
PID 3660 wrote to memory of 1000	3660	{785C67A0-7413-44d9-9A13-260B1E64C730}.exe	106
PID 3660 wrote to memory of 1000	3660	{785C67A0-7413-44d9-9A13-260B1E64C730}.exe	106
PID 3660 wrote to memory of 1940	3660	{785C67A0-7413-44d9-9A13-260B1E64C730}.exe	107
PID 3660 wrote to memory of 1940	3660	{785C67A0-7413-44d9-9A13-260B1E64C730}.exe	107
PID 3660 wrote to memory of 1940	3660	{785C67A0-7413-44d9-9A13-260B1E64C730}.exe	107
PID 1000 wrote to memory of 224	1000	{34435F91-447B-4391-B364-B3CB75C6051A}.exe	109
PID 1000 wrote to memory of 224	1000	{34435F91-447B-4391-B364-B3CB75C6051A}.exe	109
PID 1000 wrote to memory of 224	1000	{34435F91-447B-4391-B364-B3CB75C6051A}.exe	109
PID 1000 wrote to memory of 1936	1000	{34435F91-447B-4391-B364-B3CB75C6051A}.exe	110
PID 1000 wrote to memory of 1936	1000	{34435F91-447B-4391-B364-B3CB75C6051A}.exe	110
PID 1000 wrote to memory of 1936	1000	{34435F91-447B-4391-B364-B3CB75C6051A}.exe	110
PID 224 wrote to memory of 3400	224	{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe	111
PID 224 wrote to memory of 3400	224	{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe	111
PID 224 wrote to memory of 3400	224	{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe	111
PID 224 wrote to memory of 5072	224	{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe	112
PID 224 wrote to memory of 5072	224	{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe	112
PID 224 wrote to memory of 5072	224	{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe	112
PID 3400 wrote to memory of 4868	3400	{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe	117
PID 3400 wrote to memory of 4868	3400	{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe	117
PID 3400 wrote to memory of 4868	3400	{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe	117
PID 3400 wrote to memory of 2812	3400	{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe	118
PID 3400 wrote to memory of 2812	3400	{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe	118
PID 3400 wrote to memory of 2812	3400	{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe	118
PID 4868 wrote to memory of 4724	4868	{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe	123
PID 4868 wrote to memory of 4724	4868	{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe	123
PID 4868 wrote to memory of 4724	4868	{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe	123
PID 4868 wrote to memory of 3704	4868	{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe	124
PID 4868 wrote to memory of 3704	4868	{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe	124
PID 4868 wrote to memory of 3704	4868	{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe	124

C:\Users\Admin\AppData\Local\Temp\30cbfa56439ef69b2ab1180b70bae570N.exe
"C:\Users\Admin\AppData\Local\Temp\30cbfa56439ef69b2ab1180b70bae570N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\{541E3594-4E38-48f0-9A05-36714396560B}.exe
  C:\Windows\{541E3594-4E38-48f0-9A05-36714396560B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe
    C:\Windows\{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe
      C:\Windows\{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\{785C67A0-7413-44d9-9A13-260B1E64C730}.exe
        
        C:\Windows\{785C67A0-7413-44d9-9A13-260B1E64C730}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Windows\{34435F91-447B-4391-B364-B3CB75C6051A}.exe
        
        C:\Windows\{34435F91-447B-4391-B364-B3CB75C6051A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe
        
        C:\Windows\{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe
        
        C:\Windows\{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe
        
        C:\Windows\{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\{4013AE7C-EC83-4d28-BBE8-CCFFE253DFDE}.exe
        
        C:\Windows\{4013AE7C-EC83-4d28-BBE8-CCFFE253DFDE}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD759~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A1FC~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7C66~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34435~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{785C6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7338~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{384A5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{541E3~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\30CBFA~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{34435F91-447B-4391-B364-B3CB75C6051A}.exe

Filesize
83KB

MD5
7faaa7e59d3b093efe4cf856399f3d6c

SHA1
4164d8078311708258f262623db4b18b61bf464c

SHA256
a63948a3b0e9985d42f40ab03de148ecfdbf85907acbf7c161bbb67277a60cdf

SHA512
60c3ddff5bce0ac2813c092ec1d124355081e12e4d84d38bea08ebe26fc25679347332ce08d6ecb496f29aed73c819e4f3d7183d0edfed08618a3c56ee8520c7

Download Submit
C:\Windows\{384A5F6F-7645-4f3e-ABC0-A44F46ACFC76}.exe

Filesize
83KB

MD5
16c091e4ed30531832c6eedec2c92c0e

SHA1
44b4079714c89f29d75ba00aff2b31edf8a835eb

SHA256
3094f4bf85fecef920dc6b7b64f529a37d88d3895af8c88fb5215c9946d970fc

SHA512
5d4589b798199f0756a2a0485ebdba183fd32a96bea73244d3611a7d76560786b949933c90252f2a6fbedd7922ae14abe6a0668fae4bed912472eb002ad9a60c

Download Submit
C:\Windows\{4013AE7C-EC83-4d28-BBE8-CCFFE253DFDE}.exe

Filesize
83KB

MD5
6bbdaf623ac61b9d6e215a1f81c32063

SHA1
00974c76e909cc6d17de26995e7ada60e10527f0

SHA256
eb3a1c3869879daa5504a50b197a14ae2827242dfa8c35fbef624663157e6702

SHA512
50c407a7a96024d4ebe3086a73f5d17821336d20aab2e377bddfe591f8b9ecd37fbddb932806dc383d5af02a18d643d8955a5557feb7fb0f503c3578fa4510f4

Download Submit
C:\Windows\{541E3594-4E38-48f0-9A05-36714396560B}.exe

Filesize
83KB

MD5
b9e6d3ef9dd2303a16a55a1d52eeae14

SHA1
fc6587c161f87cf231179563ed5992d139fcf73c

SHA256
67b912f8fe083523db34870227408ba04db9bbd4456e9e7953bfac859b2304fe

SHA512
fc19501b8f1eaa13b63a2433d167658b5a407602464b8586c8c1c2c5c827728918827a77100f6d008dddbd125ae7c3a488c61cff9fc053f419ef7ddb3be01022

Download Submit
C:\Windows\{785C67A0-7413-44d9-9A13-260B1E64C730}.exe

Filesize
83KB

MD5
7d686c6c2e752a2f171675dddcb7ce7c

SHA1
fe998621c818314a1a733a63ab65ba73cb861900

SHA256
cf9b31da0fd779e49594adb196999ab888b240a45d606661bc561aab87269020

SHA512
5d0a344110c60f5b5db70ecdcdb2f3cc5ed58b6229f2006471bb4abcc438ba6664102a4d684f1de9cb5a1cdb55fe671d74afd506e32d891e5a0b81fe7d5c58ac

Download Submit
C:\Windows\{8A1FC033-5D9C-45f9-9CAC-2BF6C26EE91F}.exe

Filesize
83KB

MD5
2f51b0b409cc2fb1480b0b8588a78c48

SHA1
6997cbdfa960e0638821e06488618228cfe38381

SHA256
bbd62219e04eca8b54f7b28464d779fbaf0b614c41e421623dfcbafedcc7dfea

SHA512
929fc171d85931c2c8ac5bdc5404bed02d1fd1c77ac04aa5aa951565094cc282ca06e09a547007a638478e9016ebb76b678fcec4cda92a234d71930c7f8b1cab

Download Submit
C:\Windows\{C7338202-D0F4-4ab9-83C9-8AF8F8187D85}.exe

Filesize
83KB

MD5
9054939988289ceb7a2addb43179e4ed

SHA1
a9ee1654da5f5f2ebdbce760e7664330199ec29b

SHA256
3f9b752ac0f1a23775c3102721bce6bc3af0ebe95aa3fe8a4343e2d29aa50d27

SHA512
0011a799bebbd14c48bf08a028f03d9613bb2fbc59bbb62dbdbb989b27458fe5abf715a02b96ef5637437e46b7b40a602476bf589602a6e7f86b4d4b16f408bb

Download Submit
C:\Windows\{CD759F01-2DCE-4890-A34C-03F29BBA68F6}.exe

Filesize
83KB

MD5
620eb6f6ceff402af66c98142535fdc7

SHA1
4c375d6923d092084cb78a14505776e09b3df313

SHA256
032722c2b1537ba7aa46aa613b8747135624decde99d977204b89863def77dc9

SHA512
56d9eb0a6c8c7b1c30d1c515fa3791fc59ad41c32c093a12a86303470de4e191c9bd6400ced7c0e685936386fc2336a0047aa2191a2b01dd30a4e25b12ff5cd6

Download Submit
C:\Windows\{E7C662A3-F5E4-485d-BFAB-2731100D485E}.exe

Filesize
83KB

MD5
b8d400bffbdb3e47c6208f490e833ac7

SHA1
f1d9cf375d2ec1611b2d46fb051eb0d5d9bcf103

SHA256
7b2915439e767a476624d2429316a64104ac80e5acc652088ba86959a76af4b3

SHA512
92fbce85eec4074f836084193feed0fe30a96aada246329e793685ebc31fc783543925f0e540abd4a95c720f42897722400ea5ae89e5e97fb658884a9b1f4e78

Download Submit
memory/224-47-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/224-41-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/224-43-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/448-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/448-5-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/448-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1000-36-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1000-40-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1000-35-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1228-19-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1228-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1228-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2648-20-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2648-22-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2648-26-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3400-49-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3400-50-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3400-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3488-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3488-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3488-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3660-33-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3660-29-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3660-27-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4724-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4868-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4868-61-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4868-56-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads