13c769a06d43d58883cfd2739be9e5c59d049be51c852866ff94c5c4f95d908a

Analysis

max time kernel
118s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fcea16e08affe07a520c9786eaabeb0N.exe
Size

90KB
MD5

2fcea16e08affe07a520c9786eaabeb0
SHA1

2b79912daa160e943ac7cb120c12c442c81d788d
SHA256

13c769a06d43d58883cfd2739be9e5c59d049be51c852866ff94c5c4f95d908a
SHA512

2c0090da7303a3ee3297016ab421d965de5f1d558636479b9d0e1f5b0e4af34658684e7228517245620aad0e97763903916813e93db5548a627018d3400f9d77
SSDEEP

768:Qvw9816vhKQLror4/wQRNrfrunMxVFA3b7glw6:YEGh0orl2unMxVS3Hgl

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA032725-C112-4252-B0E2-6A2C687A7D9D}\stubpath = "C:\\Windows\\{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe"	{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1417321C-A112-4d65-AF99-9B5E251D05DE}	{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C01366A-3EDB-4446-A288-EC1EE3FD8A8C}\stubpath = "C:\\Windows\\{8C01366A-3EDB-4446-A288-EC1EE3FD8A8C}.exe"	{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5B3D10F-147A-4f7b-916B-0348F3E3F109}\stubpath = "C:\\Windows\\{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe"	{E2C324C3-1584-4446-84F2-248477EE6488}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C79C6DB-24DC-4326-8C51-218A436891BD}\stubpath = "C:\\Windows\\{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe"	{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}	{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA032725-C112-4252-B0E2-6A2C687A7D9D}	{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5B3D10F-147A-4f7b-916B-0348F3E3F109}	{E2C324C3-1584-4446-84F2-248477EE6488}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1417321C-A112-4d65-AF99-9B5E251D05DE}\stubpath = "C:\\Windows\\{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe"	{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}\stubpath = "C:\\Windows\\{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe"	{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D60BD543-3C14-4c32-89CC-571B2C89D608}	{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C324C3-1584-4446-84F2-248477EE6488}	2fcea16e08affe07a520c9786eaabeb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C324C3-1584-4446-84F2-248477EE6488}\stubpath = "C:\\Windows\\{E2C324C3-1584-4446-84F2-248477EE6488}.exe"	2fcea16e08affe07a520c9786eaabeb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C79C6DB-24DC-4326-8C51-218A436891BD}	{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}\stubpath = "C:\\Windows\\{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe"	{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}	{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D60BD543-3C14-4c32-89CC-571B2C89D608}\stubpath = "C:\\Windows\\{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe"	{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C01366A-3EDB-4446-A288-EC1EE3FD8A8C}	{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe

Executes dropped EXE 9 IoCs

pid	Process
3968	{E2C324C3-1584-4446-84F2-248477EE6488}.exe
1848	{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe
3576	{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe
4780	{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe
1400	{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe
2228	{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe
4536	{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe
2628	{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe
4808	{8C01366A-3EDB-4446-A288-EC1EE3FD8A8C}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{E2C324C3-1584-4446-84F2-248477EE6488}.exe	2fcea16e08affe07a520c9786eaabeb0N.exe
File created	C:\Windows\{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe	{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe
File created	C:\Windows\{8C01366A-3EDB-4446-A288-EC1EE3FD8A8C}.exe	{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe
File created	C:\Windows\{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe	{E2C324C3-1584-4446-84F2-248477EE6488}.exe
File created	C:\Windows\{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe	{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe
File created	C:\Windows\{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe	{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe
File created	C:\Windows\{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe	{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe
File created	C:\Windows\{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe	{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe
File created	C:\Windows\{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe	{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E2C324C3-1584-4446-84F2-248477EE6488}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C01366A-3EDB-4446-A288-EC1EE3FD8A8C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fcea16e08affe07a520c9786eaabeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3352	2fcea16e08affe07a520c9786eaabeb0N.exe
Token: SeIncBasePriorityPrivilege	3968	{E2C324C3-1584-4446-84F2-248477EE6488}.exe
Token: SeIncBasePriorityPrivilege	1848	{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe
Token: SeIncBasePriorityPrivilege	3576	{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe
Token: SeIncBasePriorityPrivilege	4780	{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe
Token: SeIncBasePriorityPrivilege	1400	{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe
Token: SeIncBasePriorityPrivilege	2228	{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe
Token: SeIncBasePriorityPrivilege	4536	{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe
Token: SeIncBasePriorityPrivilege	2628	{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 3968	3352	2fcea16e08affe07a520c9786eaabeb0N.exe	95
PID 3352 wrote to memory of 3968	3352	2fcea16e08affe07a520c9786eaabeb0N.exe	95
PID 3352 wrote to memory of 3968	3352	2fcea16e08affe07a520c9786eaabeb0N.exe	95
PID 3352 wrote to memory of 4608	3352	2fcea16e08affe07a520c9786eaabeb0N.exe	96
PID 3352 wrote to memory of 4608	3352	2fcea16e08affe07a520c9786eaabeb0N.exe	96
PID 3352 wrote to memory of 4608	3352	2fcea16e08affe07a520c9786eaabeb0N.exe	96
PID 3968 wrote to memory of 1848	3968	{E2C324C3-1584-4446-84F2-248477EE6488}.exe	97
PID 3968 wrote to memory of 1848	3968	{E2C324C3-1584-4446-84F2-248477EE6488}.exe	97
PID 3968 wrote to memory of 1848	3968	{E2C324C3-1584-4446-84F2-248477EE6488}.exe	97
PID 3968 wrote to memory of 3240	3968	{E2C324C3-1584-4446-84F2-248477EE6488}.exe	98
PID 3968 wrote to memory of 3240	3968	{E2C324C3-1584-4446-84F2-248477EE6488}.exe	98
PID 3968 wrote to memory of 3240	3968	{E2C324C3-1584-4446-84F2-248477EE6488}.exe	98
PID 1848 wrote to memory of 3576	1848	{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe	102
PID 1848 wrote to memory of 3576	1848	{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe	102
PID 1848 wrote to memory of 3576	1848	{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe	102
PID 1848 wrote to memory of 2652	1848	{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe	103
PID 1848 wrote to memory of 2652	1848	{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe	103
PID 1848 wrote to memory of 2652	1848	{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe	103
PID 3576 wrote to memory of 4780	3576	{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe	104
PID 3576 wrote to memory of 4780	3576	{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe	104
PID 3576 wrote to memory of 4780	3576	{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe	104
PID 3576 wrote to memory of 4212	3576	{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe	105
PID 3576 wrote to memory of 4212	3576	{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe	105
PID 3576 wrote to memory of 4212	3576	{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe	105
PID 4780 wrote to memory of 1400	4780	{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe	106
PID 4780 wrote to memory of 1400	4780	{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe	106
PID 4780 wrote to memory of 1400	4780	{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe	106
PID 4780 wrote to memory of 3848	4780	{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe	107
PID 4780 wrote to memory of 3848	4780	{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe	107
PID 4780 wrote to memory of 3848	4780	{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe	107
PID 1400 wrote to memory of 2228	1400	{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe	109
PID 1400 wrote to memory of 2228	1400	{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe	109
PID 1400 wrote to memory of 2228	1400	{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe	109
PID 1400 wrote to memory of 4420	1400	{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe	110
PID 1400 wrote to memory of 4420	1400	{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe	110
PID 1400 wrote to memory of 4420	1400	{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe	110
PID 2228 wrote to memory of 4536	2228	{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe	111
PID 2228 wrote to memory of 4536	2228	{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe	111
PID 2228 wrote to memory of 4536	2228	{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe	111
PID 2228 wrote to memory of 2084	2228	{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe	112
PID 2228 wrote to memory of 2084	2228	{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe	112
PID 2228 wrote to memory of 2084	2228	{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe	112
PID 4536 wrote to memory of 2628	4536	{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe	117
PID 4536 wrote to memory of 2628	4536	{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe	117
PID 4536 wrote to memory of 2628	4536	{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe	117
PID 4536 wrote to memory of 2040	4536	{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe	118
PID 4536 wrote to memory of 2040	4536	{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe	118
PID 4536 wrote to memory of 2040	4536	{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe	118
PID 2628 wrote to memory of 4808	2628	{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe	123
PID 2628 wrote to memory of 4808	2628	{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe	123
PID 2628 wrote to memory of 4808	2628	{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe	123
PID 2628 wrote to memory of 2788	2628	{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe	124
PID 2628 wrote to memory of 2788	2628	{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe	124
PID 2628 wrote to memory of 2788	2628	{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe	124

C:\Users\Admin\AppData\Local\Temp\2fcea16e08affe07a520c9786eaabeb0N.exe
"C:\Users\Admin\AppData\Local\Temp\2fcea16e08affe07a520c9786eaabeb0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\{E2C324C3-1584-4446-84F2-248477EE6488}.exe
  C:\Windows\{E2C324C3-1584-4446-84F2-248477EE6488}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe
    C:\Windows\{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe
      C:\Windows\{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe
        
        C:\Windows\{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4780
      - C:\Windows\{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe
        
        C:\Windows\{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe
        
        C:\Windows\{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe
        
        C:\Windows\{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe
        
        C:\Windows\{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{8C01366A-3EDB-4446-A288-EC1EE3FD8A8C}.exe
        
        C:\Windows\{8C01366A-3EDB-4446-A288-EC1EE3FD8A8C}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14173~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D60BD~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA032~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB5C8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73A21~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C79C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C5B3D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E2C32~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2FCEA1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1417321C-A112-4d65-AF99-9B5E251D05DE}.exe

Filesize
90KB

MD5
62a38a40fdba0818a86e0da7f128e2e4

SHA1
bf805a0981eec0306d42771b8f9633eb6772e7a7

SHA256
6c30dee399a474a628729b7be0600ffd0707b7d4ec499df02044b9c028f99750

SHA512
a9df49ef6d6937143d729ee80b8fe42f8eaa3dc6a558f67143fc7ff1306caf430429e204531ca84f13f396a5bc569efda646bddc79c1f296b9de7d766ce14ae1

Download Submit
C:\Windows\{1C79C6DB-24DC-4326-8C51-218A436891BD}.exe

Filesize
90KB

MD5
9fea104af283fc652872ef5ac5fb6ded

SHA1
cddcbbbe56ed070f7a4192f9622364ffe6568c39

SHA256
f6bcbf796d29da52051b34e9d8c8081fc910d53bf76a469003173c60cbd72fab

SHA512
d11b712973ecdebe5bd435d2f946bfb6455203fc2c45d9d0f3e727cdfa18748ad9ca6f1d0acb288c569150d153c7db2432483bef03a2e112c746ece63b9922de

Download Submit
C:\Windows\{73A2116F-6BBC-4dcd-ACCF-76AAE03A0C10}.exe

Filesize
90KB

MD5
8ea52a61b67227bed4e158513c67d40a

SHA1
abd7841e79da100881d1049442c9bf1b53345208

SHA256
0106e894ab8f3b6c3cd363850415d7a3fc31248853d2701e57a49808923d6f5c

SHA512
f4676e2a0d87fec8833e2d020cd4e37fb661104e5e2dd8828d2610b7f73893ea86ed79de43237bb2b2e0bab0c6a31e5b0ab4681bcf405a03f42c30c63d995dcf

Download Submit
C:\Windows\{8C01366A-3EDB-4446-A288-EC1EE3FD8A8C}.exe

Filesize
90KB

MD5
e4e4f192690663800a5cebb89dc05a11

SHA1
20cdb85a26c661e522cf044dff3dba87124128e5

SHA256
8cde0df43e9d0fc2264a400951f990f7f45af5b5fbc039748b20bcf8f058c104

SHA512
d3004acae08f4ccfe0db9c5ceb29238acb161f739e0596fcd1dd51e9fc03a291fad966aad755f4a6af7a5fab1d1f69844778063367ba4ba0a64ef8e143b7d996

Download Submit
C:\Windows\{C5B3D10F-147A-4f7b-916B-0348F3E3F109}.exe

Filesize
90KB

MD5
97199ee46c491b14b5201084d7fa6a29

SHA1
f7a27be2ec5961f030bfa3c09efc7c52bcefc94c

SHA256
7b1d7d3af1c0690359f40670c6ce9be4b7bf09adcc5d9e4b0d0e0c932fe5b953

SHA512
ad17eba663c12d6c9ae108a24d98fe36c4e76fe578c854ca213d1ca1979af10e56673dc9463e55baa65a29fbb201295507ca26343840ce51b1c2b1c3280ed730

Download Submit
C:\Windows\{D60BD543-3C14-4c32-89CC-571B2C89D608}.exe

Filesize
90KB

MD5
3b3c5313592a568b2b314957abeb8c6c

SHA1
a6328ba76c042e2df66866fe091cf801e192cb12

SHA256
68cae38185d900dab2d906818004d68df73dee3399680fd84fa17384e9431419

SHA512
7fe0d253c4fc2ef77df01bdf90b86107d86b9e4b23938d0d8db6beb8e8edca52e2eb1be5d051977f8376b979ea5e399d5d502195aba2dd3a6e6e71d2413f3db1

Download Submit
C:\Windows\{DA032725-C112-4252-B0E2-6A2C687A7D9D}.exe

Filesize
90KB

MD5
eecc6f23e0ba09ac97250b66a4d4b884

SHA1
98774aba723670e8b77f727d6d316255e1f7c28b

SHA256
338f76ee181ed7f4a09b13c63cdd8a350c958ee07e8a0f498342e2b48e1f032f

SHA512
ca2d01fdd9f0d22ef09c5d57d8a53f5c5d8e6e12015b0bd78b3f03e747d570891311d384d16fe3ec1e2de8a2eac3b4cb6fda9f6a0ebabc08556d0dbe15a00191

Download Submit
C:\Windows\{DB5C8FEC-7142-4fc9-A6A2-5DDCB7C31F1C}.exe

Filesize
90KB

MD5
4c3e68baa841909b44ef1a26b076f780

SHA1
5708481fda85c73ec0d04a429d3250af1feadc2c

SHA256
3e798e722e4be15e6505fda0cb4e7d927173346c550246f4944905fd0444b2e0

SHA512
d3d1097565ae59a21fa1a7f57c6be2d037d22e76eeb450f73a6528ac829b1ac8663b105d551e77f7329bb2f96fd733dfa3137ab9f3d47a54142ba61d2a8651fe

Download Submit
C:\Windows\{E2C324C3-1584-4446-84F2-248477EE6488}.exe

Filesize
90KB

MD5
a833b9cce3be0343a278ce188f54518b

SHA1
c6ec1b9a4bc3de85c90d372e2e5397750242367f

SHA256
a68cf8175a870dab75284b3075803cdaf6b2a97f71b03e1b844f9f792c59606c

SHA512
a63dec92cc17a20e7ad3cf5a73778f617fad73f3f543ba80ff7b67d27e2d85f41548356aebe759b82760af6c41447333a997cb3a7d5b1d18641cf5d2692b0c8d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads