49b2868d687fa4c2f8df75e4b452f9aca4a5073d44dd1bfd001d8f0888c6bad4

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c4ea5adbb81cb2211c210af6bf0f40N.exe
Size

88KB
MD5

51c4ea5adbb81cb2211c210af6bf0f40
SHA1

d6933fdf54772b2e91cb77450579228fa1f98951
SHA256

49b2868d687fa4c2f8df75e4b452f9aca4a5073d44dd1bfd001d8f0888c6bad4
SHA512

2913a67ca5841cfc12650a738cf6eb1669eab7acafdac3dfde8821b2b97bb81b0bd9b844dddceaa03a02dac71c62ee3e47805ade0391e07965d666a8be53eeba
SSDEEP

768:5vw9816thKQLrov4/wQkNrfrunMxVFA3V:lEG/0ovlbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{475E185E-C9D1-4801-8A25-3E8237E355AC}\stubpath = "C:\\Windows\\{475E185E-C9D1-4801-8A25-3E8237E355AC}.exe"	{E85BE146-3CCE-4535-9D87-A64A605A40CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}\stubpath = "C:\\Windows\\{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe"	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}\stubpath = "C:\\Windows\\{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe"	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{475E185E-C9D1-4801-8A25-3E8237E355AC}	{E85BE146-3CCE-4535-9D87-A64A605A40CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E85BE146-3CCE-4535-9D87-A64A605A40CD}	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}\stubpath = "C:\\Windows\\{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe"	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}\stubpath = "C:\\Windows\\{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe"	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C761854-36A6-406c-8936-B731926A1729}	51c4ea5adbb81cb2211c210af6bf0f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFA8D517-E401-4b87-AA99-E041F9835B84}	{7C761854-36A6-406c-8936-B731926A1729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFA8D517-E401-4b87-AA99-E041F9835B84}\stubpath = "C:\\Windows\\{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe"	{7C761854-36A6-406c-8936-B731926A1729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C1FBE89-6554-471b-8F42-237D22D81F56}\stubpath = "C:\\Windows\\{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe"	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C761854-36A6-406c-8936-B731926A1729}\stubpath = "C:\\Windows\\{7C761854-36A6-406c-8936-B731926A1729}.exe"	51c4ea5adbb81cb2211c210af6bf0f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C1FBE89-6554-471b-8F42-237D22D81F56}	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E85BE146-3CCE-4535-9D87-A64A605A40CD}\stubpath = "C:\\Windows\\{E85BE146-3CCE-4535-9D87-A64A605A40CD}.exe"	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe

Deletes itself 1 IoCs

pid	Process
1388	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
3020	{7C761854-36A6-406c-8936-B731926A1729}.exe
2944	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe
2784	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe
1040	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe
1776	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe
2672	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe
2388	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe
1352	{E85BE146-3CCE-4535-9D87-A64A605A40CD}.exe
544	{475E185E-C9D1-4801-8A25-3E8237E355AC}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe
File created	C:\Windows\{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe
File created	C:\Windows\{E85BE146-3CCE-4535-9D87-A64A605A40CD}.exe	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe
File created	C:\Windows\{475E185E-C9D1-4801-8A25-3E8237E355AC}.exe	{E85BE146-3CCE-4535-9D87-A64A605A40CD}.exe
File created	C:\Windows\{7C761854-36A6-406c-8936-B731926A1729}.exe	51c4ea5adbb81cb2211c210af6bf0f40N.exe
File created	C:\Windows\{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe	{7C761854-36A6-406c-8936-B731926A1729}.exe
File created	C:\Windows\{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe
File created	C:\Windows\{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe
File created	C:\Windows\{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{475E185E-C9D1-4801-8A25-3E8237E355AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c4ea5adbb81cb2211c210af6bf0f40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C761854-36A6-406c-8936-B731926A1729}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E85BE146-3CCE-4535-9D87-A64A605A40CD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2548	51c4ea5adbb81cb2211c210af6bf0f40N.exe
Token: SeIncBasePriorityPrivilege	3020	{7C761854-36A6-406c-8936-B731926A1729}.exe
Token: SeIncBasePriorityPrivilege	2944	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe
Token: SeIncBasePriorityPrivilege	2784	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe
Token: SeIncBasePriorityPrivilege	1040	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe
Token: SeIncBasePriorityPrivilege	1776	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe
Token: SeIncBasePriorityPrivilege	2672	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe
Token: SeIncBasePriorityPrivilege	2388	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe
Token: SeIncBasePriorityPrivilege	1352	{E85BE146-3CCE-4535-9D87-A64A605A40CD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3020	2548	51c4ea5adbb81cb2211c210af6bf0f40N.exe	29
PID 2548 wrote to memory of 3020	2548	51c4ea5adbb81cb2211c210af6bf0f40N.exe	29
PID 2548 wrote to memory of 3020	2548	51c4ea5adbb81cb2211c210af6bf0f40N.exe	29
PID 2548 wrote to memory of 3020	2548	51c4ea5adbb81cb2211c210af6bf0f40N.exe	29
PID 2548 wrote to memory of 1388	2548	51c4ea5adbb81cb2211c210af6bf0f40N.exe	30
PID 2548 wrote to memory of 1388	2548	51c4ea5adbb81cb2211c210af6bf0f40N.exe	30
PID 2548 wrote to memory of 1388	2548	51c4ea5adbb81cb2211c210af6bf0f40N.exe	30
PID 2548 wrote to memory of 1388	2548	51c4ea5adbb81cb2211c210af6bf0f40N.exe	30
PID 3020 wrote to memory of 2944	3020	{7C761854-36A6-406c-8936-B731926A1729}.exe	31
PID 3020 wrote to memory of 2944	3020	{7C761854-36A6-406c-8936-B731926A1729}.exe	31
PID 3020 wrote to memory of 2944	3020	{7C761854-36A6-406c-8936-B731926A1729}.exe	31
PID 3020 wrote to memory of 2944	3020	{7C761854-36A6-406c-8936-B731926A1729}.exe	31
PID 3020 wrote to memory of 2832	3020	{7C761854-36A6-406c-8936-B731926A1729}.exe	32
PID 3020 wrote to memory of 2832	3020	{7C761854-36A6-406c-8936-B731926A1729}.exe	32
PID 3020 wrote to memory of 2832	3020	{7C761854-36A6-406c-8936-B731926A1729}.exe	32
PID 3020 wrote to memory of 2832	3020	{7C761854-36A6-406c-8936-B731926A1729}.exe	32
PID 2944 wrote to memory of 2784	2944	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe	33
PID 2944 wrote to memory of 2784	2944	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe	33
PID 2944 wrote to memory of 2784	2944	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe	33
PID 2944 wrote to memory of 2784	2944	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe	33
PID 2944 wrote to memory of 2600	2944	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe	34
PID 2944 wrote to memory of 2600	2944	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe	34
PID 2944 wrote to memory of 2600	2944	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe	34
PID 2944 wrote to memory of 2600	2944	{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe	34
PID 2784 wrote to memory of 1040	2784	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe	35
PID 2784 wrote to memory of 1040	2784	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe	35
PID 2784 wrote to memory of 1040	2784	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe	35
PID 2784 wrote to memory of 1040	2784	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe	35
PID 2784 wrote to memory of 2212	2784	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe	36
PID 2784 wrote to memory of 2212	2784	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe	36
PID 2784 wrote to memory of 2212	2784	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe	36
PID 2784 wrote to memory of 2212	2784	{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe	36
PID 1040 wrote to memory of 1776	1040	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe	37
PID 1040 wrote to memory of 1776	1040	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe	37
PID 1040 wrote to memory of 1776	1040	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe	37
PID 1040 wrote to memory of 1776	1040	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe	37
PID 1040 wrote to memory of 2448	1040	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe	38
PID 1040 wrote to memory of 2448	1040	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe	38
PID 1040 wrote to memory of 2448	1040	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe	38
PID 1040 wrote to memory of 2448	1040	{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe	38
PID 1776 wrote to memory of 2672	1776	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe	39
PID 1776 wrote to memory of 2672	1776	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe	39
PID 1776 wrote to memory of 2672	1776	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe	39
PID 1776 wrote to memory of 2672	1776	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe	39
PID 1776 wrote to memory of 1148	1776	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe	40
PID 1776 wrote to memory of 1148	1776	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe	40
PID 1776 wrote to memory of 1148	1776	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe	40
PID 1776 wrote to memory of 1148	1776	{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe	40
PID 2672 wrote to memory of 2388	2672	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe	41
PID 2672 wrote to memory of 2388	2672	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe	41
PID 2672 wrote to memory of 2388	2672	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe	41
PID 2672 wrote to memory of 2388	2672	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe	41
PID 2672 wrote to memory of 1484	2672	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe	42
PID 2672 wrote to memory of 1484	2672	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe	42
PID 2672 wrote to memory of 1484	2672	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe	42
PID 2672 wrote to memory of 1484	2672	{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe	42
PID 2388 wrote to memory of 1352	2388	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe	43
PID 2388 wrote to memory of 1352	2388	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe	43
PID 2388 wrote to memory of 1352	2388	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe	43
PID 2388 wrote to memory of 1352	2388	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe	43
PID 2388 wrote to memory of 2968	2388	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe	44
PID 2388 wrote to memory of 2968	2388	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe	44
PID 2388 wrote to memory of 2968	2388	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe	44
PID 2388 wrote to memory of 2968	2388	{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe	44

C:\Users\Admin\AppData\Local\Temp\51c4ea5adbb81cb2211c210af6bf0f40N.exe
"C:\Users\Admin\AppData\Local\Temp\51c4ea5adbb81cb2211c210af6bf0f40N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\{7C761854-36A6-406c-8936-B731926A1729}.exe
  C:\Windows\{7C761854-36A6-406c-8936-B731926A1729}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe
    C:\Windows\{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe
      C:\Windows\{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe
        
        C:\Windows\{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Windows\{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe
        
        C:\Windows\{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe
        
        C:\Windows\{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe
        
        C:\Windows\{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{E85BE146-3CCE-4535-9D87-A64A605A40CD}.exe
        
        C:\Windows\{E85BE146-3CCE-4535-9D87-A64A605A40CD}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\{475E185E-C9D1-4801-8A25-3E8237E355AC}.exe
        
        C:\Windows\{475E185E-C9D1-4801-8A25-3E8237E355AC}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E85BE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B05A4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0D9C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C1FB~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E522D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{118F7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CFA8D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7C761~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\51C4EA~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{118F7BB3-6E75-4e0e-84DB-0317AA22C9A9}.exe

Filesize
88KB

MD5
d6d624f20058bc3a60558751e2fe68c4

SHA1
d415f13da9f29e84c06a4c7cde60300a28fbc328

SHA256
e46d8a7efada69c9e130d5f5b6e93f9c9bc0db1db81f8e6e2de68ee74c8a8867

SHA512
33ec1c12aa14aea1d5369db1465a8cbce42ebaa2bf036188476e9469c6f2059a410ad1dbc31fae188ca9b220139aabd55a0f2fe407ce464a106c222bddd58ee1

Download Submit
C:\Windows\{3C1FBE89-6554-471b-8F42-237D22D81F56}.exe

Filesize
88KB

MD5
dea902a364a571661672d2e74c1b15e1

SHA1
65685c86c0033e5e51f8d5730f49605331c89e23

SHA256
1445890e45779e39bda61e5a4a9f044e24e073309ae3ee8188efc88b6c3b9f65

SHA512
b9e6d04a44ad900a40485e6fb2fbaca76819e59cde984c31cbf63667e17b9bf77ad962065a700c3e1a5b4a122bb163d1cb23fe331991e8da9756d6a7bd153252

Download Submit
C:\Windows\{475E185E-C9D1-4801-8A25-3E8237E355AC}.exe

Filesize
88KB

MD5
a6c8050978211fdfa69a9f09e705fa1c

SHA1
5ebed3e9487d183dea131dd62e55ed06c62ec47a

SHA256
afdbcb97860c0fb81a3ce12e5bfd90a701c487e354584319700519b59e7c710a

SHA512
7e8121b18fe12ccff1f4a40da9a163558665c47d8d32ad03de94e7d837ba0a06148eb3fb337220723893a57cdefdc5e0d5914e10649303a486cc28dbbcf9aacd

Download Submit
C:\Windows\{7C761854-36A6-406c-8936-B731926A1729}.exe

Filesize
88KB

MD5
05e83cbc07afe8952636d81086a55f11

SHA1
ce4c1b7e5de766835178e61d448bd37395810127

SHA256
263122076c6063f4461dd0fd3a4dd98a8fd7c7b5e3604fcc4c89aba1986f7c38

SHA512
a423393f87668038bbf94165b8ada3df7c9c887f70b3f255a8657e9f09fbddd6302de2bb1c7e6ca3723d205fd49aa764acf32fa24281c52d1766d87148dc98fa

Download Submit
C:\Windows\{B05A49F7-7C67-4eef-9F0E-43FAC97B2680}.exe

Filesize
88KB

MD5
1f6c17c7ea3e0aa43f50304b069890a5

SHA1
f144cc342b4b9f6aad74231f12ba6c98ad46e874

SHA256
294ff433b301f8373dca0163e3e2247c4605b6c36138fe89d06b0c4636b2c2ba

SHA512
ffbad97f23d5b680be332903ad8c7ceaeb730ad79031eea0aa74dda460bee0ddb3c14cd7a5ca6bee87168c2bbbce3dc39cea4279bfce938ee016977c0dd84cef

Download Submit
C:\Windows\{CFA8D517-E401-4b87-AA99-E041F9835B84}.exe

Filesize
88KB

MD5
a0f5c888eeb3332d88076b058c032d09

SHA1
e1dda34844c7d6e6e3b641ae425173a7301e7ffc

SHA256
39d307014facbda62d92e461ebd008ad0678718f317ae8527ab5cd87ca5cced1

SHA512
02c18f009a2b159a920fec9c3b89b4b2a28d43bf512b8818c3a0387f5f9742a2dfa4d196e70a46d53ceebea592749382151d7eee2d213c6dfd881283a45bda25

Download Submit
C:\Windows\{E0D9CF91-B0ED-4b28-8BA2-959543C37F3F}.exe

Filesize
88KB

MD5
6c9327ed5aead3d326220124a74b97ca

SHA1
7d05ff32db31429d43424106663acc2918a80019

SHA256
9a43881faa8e8bf10f18171aca79955c479e1c0dcf276a6f7b80e015a6390c37

SHA512
31bbc0300a6361195505d7b9010e53ae6bb2480fc587010f6dbaac1267ea67c6953e4e5f7e65f5cc5c3edfeeda18bf99de3eba5258b2ab0cba0dff63d7646f8b

Download Submit
C:\Windows\{E522D788-6471-49a5-BE64-2C6BCA9C8C1A}.exe

Filesize
88KB

MD5
14a918bf9ffac0acfa058817b08b5d17

SHA1
3c350eca337a618ea809a12e5a8c6d6e1f8800e7

SHA256
2b085322323e57d08dee1288d3ef03ca7569a5e58c9c4d49e82cab47e4e9d21e

SHA512
865b23136d80e99281151caa01c4c097028ba0582fc9ffdbcb8a5a705dc56d5890720128bee0bbfc8113b41ddf6cb56f1fb7bf6880f7e0471fbdb4adafbf6f37

Download Submit
C:\Windows\{E85BE146-3CCE-4535-9D87-A64A605A40CD}.exe

Filesize
88KB

MD5
1039f35c0e67cc6d5773f0beb6356b72

SHA1
9947ecd6911cef7c54fb773436b0a230e18c9305

SHA256
8a30978a6e45ff3b94dbf610b43fe559593a57005e571c9c21fea8539956fcae

SHA512
83a84369a0dc31bca866526194986ebcde68e77e338801bf48f642e75853872c1e8724d883b210ff87bf8bb6efbe5a985dca82e6ef020f8a4ed94756df19305c

Download Submit
memory/544-83-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1040-39-0x0000000000380000-0x0000000000391000-memory.dmp

Filesize
68KB

Download
memory/1040-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1352-81-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1352-74-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1776-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1776-54-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/1776-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2388-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2388-72-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2548-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2548-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2548-3-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2548-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2672-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2672-59-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/2784-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2784-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2944-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2944-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3020-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3020-13-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads