bdf43f490193f57547964d62e9f27ccfac219559912805ac22da73ea09e043ec

Analysis

max time kernel
100s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a81b5870fe81d181d03f8566413ab6f0N.exe
Size

90KB
MD5

a81b5870fe81d181d03f8566413ab6f0
SHA1

1b542205410f8d014ca532b1211abcd58c0ce74e
SHA256

bdf43f490193f57547964d62e9f27ccfac219559912805ac22da73ea09e043ec
SHA512

d6c13bd2e1ceba9a5eef9aac1601edf2e4f5dfeb1754799d2f72ba31dbd87cf9f866ff1a536987f3fa699c3bb1aa31e4d9c89d4095bd2b78ece3da613d7f2183
SSDEEP

768:Qvw9816vhKQLroaL4/wQRNrfrunMxVFA3b7glw:YEGh0oaLl2unMxVS3Hg

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 16 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5201C44-535C-4cc7-AE02-A8B506E20978}	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7EF50A2-548D-4054-B0D8-54EE10E00B56}\stubpath = "C:\\Windows\\{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe"	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4232B5A-DBA2-493e-9634-EA2840BDD039}\stubpath = "C:\\Windows\\{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe"	a81b5870fe81d181d03f8566413ab6f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF684263-3D3C-4cc5-8951-945C1A654834}	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF684263-3D3C-4cc5-8951-945C1A654834}\stubpath = "C:\\Windows\\{CF684263-3D3C-4cc5-8951-945C1A654834}.exe"	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7EF50A2-548D-4054-B0D8-54EE10E00B56}	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4232B5A-DBA2-493e-9634-EA2840BDD039}	a81b5870fe81d181d03f8566413ab6f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C134DF0-683F-4197-BBFD-F95D6F592CE3}	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}\stubpath = "C:\\Windows\\{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe"	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C134DF0-683F-4197-BBFD-F95D6F592CE3}\stubpath = "C:\\Windows\\{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe"	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}\stubpath = "C:\\Windows\\{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe"	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B878A8B-3D88-42d9-8A7F-8AC5FDFDF34D}	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B878A8B-3D88-42d9-8A7F-8AC5FDFDF34D}\stubpath = "C:\\Windows\\{2B878A8B-3D88-42d9-8A7F-8AC5FDFDF34D}.exe"	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5201C44-535C-4cc7-AE02-A8B506E20978}\stubpath = "C:\\Windows\\{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe"	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe

Deletes itself 1 IoCs

pid	Process
1720	cmd.exe

Executes dropped EXE 8 IoCs

pid	Process
2072	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe
2852	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe
2612	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe
2772	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe
2260	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe
2672	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe
2972	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe
536	{2B878A8B-3D88-42d9-8A7F-8AC5FDFDF34D}.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe
File created	C:\Windows\{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe
File created	C:\Windows\{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe
File created	C:\Windows\{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe
File created	C:\Windows\{2B878A8B-3D88-42d9-8A7F-8AC5FDFDF34D}.exe	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe
File created	C:\Windows\{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe	a81b5870fe81d181d03f8566413ab6f0N.exe
File created	C:\Windows\{CF684263-3D3C-4cc5-8951-945C1A654834}.exe	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe
File created	C:\Windows\{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a81b5870fe81d181d03f8566413ab6f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B878A8B-3D88-42d9-8A7F-8AC5FDFDF34D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1676	a81b5870fe81d181d03f8566413ab6f0N.exe
Token: SeIncBasePriorityPrivilege	2072	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe
Token: SeIncBasePriorityPrivilege	2852	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe
Token: SeIncBasePriorityPrivilege	2612	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe
Token: SeIncBasePriorityPrivilege	2772	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe
Token: SeIncBasePriorityPrivilege	2260	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe
Token: SeIncBasePriorityPrivilege	2672	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe
Token: SeIncBasePriorityPrivilege	2972	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2072	1676	a81b5870fe81d181d03f8566413ab6f0N.exe	30
PID 1676 wrote to memory of 2072	1676	a81b5870fe81d181d03f8566413ab6f0N.exe	30
PID 1676 wrote to memory of 2072	1676	a81b5870fe81d181d03f8566413ab6f0N.exe	30
PID 1676 wrote to memory of 2072	1676	a81b5870fe81d181d03f8566413ab6f0N.exe	30
PID 1676 wrote to memory of 1720	1676	a81b5870fe81d181d03f8566413ab6f0N.exe	31
PID 1676 wrote to memory of 1720	1676	a81b5870fe81d181d03f8566413ab6f0N.exe	31
PID 1676 wrote to memory of 1720	1676	a81b5870fe81d181d03f8566413ab6f0N.exe	31
PID 1676 wrote to memory of 1720	1676	a81b5870fe81d181d03f8566413ab6f0N.exe	31
PID 2072 wrote to memory of 2852	2072	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe	33
PID 2072 wrote to memory of 2852	2072	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe	33
PID 2072 wrote to memory of 2852	2072	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe	33
PID 2072 wrote to memory of 2852	2072	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe	33
PID 2072 wrote to memory of 2884	2072	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe	34
PID 2072 wrote to memory of 2884	2072	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe	34
PID 2072 wrote to memory of 2884	2072	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe	34
PID 2072 wrote to memory of 2884	2072	{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe	34
PID 2852 wrote to memory of 2612	2852	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe	35
PID 2852 wrote to memory of 2612	2852	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe	35
PID 2852 wrote to memory of 2612	2852	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe	35
PID 2852 wrote to memory of 2612	2852	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe	35
PID 2852 wrote to memory of 2768	2852	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe	36
PID 2852 wrote to memory of 2768	2852	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe	36
PID 2852 wrote to memory of 2768	2852	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe	36
PID 2852 wrote to memory of 2768	2852	{CF684263-3D3C-4cc5-8951-945C1A654834}.exe	36
PID 2612 wrote to memory of 2772	2612	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe	37
PID 2612 wrote to memory of 2772	2612	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe	37
PID 2612 wrote to memory of 2772	2612	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe	37
PID 2612 wrote to memory of 2772	2612	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe	37
PID 2612 wrote to memory of 2604	2612	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe	38
PID 2612 wrote to memory of 2604	2612	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe	38
PID 2612 wrote to memory of 2604	2612	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe	38
PID 2612 wrote to memory of 2604	2612	{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe	38
PID 2772 wrote to memory of 2260	2772	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe	39
PID 2772 wrote to memory of 2260	2772	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe	39
PID 2772 wrote to memory of 2260	2772	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe	39
PID 2772 wrote to memory of 2260	2772	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe	39
PID 2772 wrote to memory of 1640	2772	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe	40
PID 2772 wrote to memory of 1640	2772	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe	40
PID 2772 wrote to memory of 1640	2772	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe	40
PID 2772 wrote to memory of 1640	2772	{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe	40
PID 2260 wrote to memory of 2672	2260	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe	41
PID 2260 wrote to memory of 2672	2260	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe	41
PID 2260 wrote to memory of 2672	2260	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe	41
PID 2260 wrote to memory of 2672	2260	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe	41
PID 2260 wrote to memory of 3000	2260	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe	42
PID 2260 wrote to memory of 3000	2260	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe	42
PID 2260 wrote to memory of 3000	2260	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe	42
PID 2260 wrote to memory of 3000	2260	{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe	42
PID 2672 wrote to memory of 2972	2672	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe	43
PID 2672 wrote to memory of 2972	2672	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe	43
PID 2672 wrote to memory of 2972	2672	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe	43
PID 2672 wrote to memory of 2972	2672	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe	43
PID 2672 wrote to memory of 2976	2672	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe	44
PID 2672 wrote to memory of 2976	2672	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe	44
PID 2672 wrote to memory of 2976	2672	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe	44
PID 2672 wrote to memory of 2976	2672	{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe	44
PID 2972 wrote to memory of 536	2972	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe	45
PID 2972 wrote to memory of 536	2972	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe	45
PID 2972 wrote to memory of 536	2972	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe	45
PID 2972 wrote to memory of 536	2972	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe	45
PID 2972 wrote to memory of 108	2972	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe	46
PID 2972 wrote to memory of 108	2972	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe	46
PID 2972 wrote to memory of 108	2972	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe	46
PID 2972 wrote to memory of 108	2972	{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe	46

C:\Users\Admin\AppData\Local\Temp\a81b5870fe81d181d03f8566413ab6f0N.exe
"C:\Users\Admin\AppData\Local\Temp\a81b5870fe81d181d03f8566413ab6f0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe
  C:\Windows\{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\{CF684263-3D3C-4cc5-8951-945C1A654834}.exe
    C:\Windows\{CF684263-3D3C-4cc5-8951-945C1A654834}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe
      C:\Windows\{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe
        
        C:\Windows\{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe
        
        C:\Windows\{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe
        
        C:\Windows\{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe
        
        C:\Windows\{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\{2B878A8B-3D88-42d9-8A7F-8AC5FDFDF34D}.exe
        
        C:\Windows\{2B878A8B-3D88-42d9-8A7F-8AC5FDFDF34D}.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\{07E8D9A3-A0F2-4a8f-BBE1-7A18BA5F4E90}.exe
        
        C:\Windows\{07E8D9A3-A0F2-4a8f-BBE1-7A18BA5F4E90}.exe
        10⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B878~1.EXE > nul
        10⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA233~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C134~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF6FC~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7EF5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5201~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CF684~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C4232~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A81B58~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07E8D9A3-A0F2-4a8f-BBE1-7A18BA5F4E90}.exe

Filesize
90KB

MD5
2312102a74af40fd5fad0a8ef898fadf

SHA1
bf7b385943041b448f45f4de99871b4c8bf607b8

SHA256
da9c20c9afd2c582efb53c30e18ede12bc9d7d84287a4d376434cbe4a984cdb9

SHA512
9e74f375d6a375295318b01b4f01371dd6c03f63adbdbeec968e7b6ee1d4bf4082d4ed28c9ce5c9183ba0249fab439ac05c6136096dc0e30f6e59917da9fcca5

Download Submit
C:\Windows\{0C134DF0-683F-4197-BBFD-F95D6F592CE3}.exe

Filesize
90KB

MD5
5b900096323e85fe88c6f196dd2eb88e

SHA1
5774de6c8e076c0af50aba37d4a6bd4f4ca5d0b0

SHA256
f3152a93b0d5807dd239a2c21ec9d265fcd6a180db371de2fd4bf490dcccf680

SHA512
f9bc5aa33e02ef0176206c554411fb3b53e322af3dbe975acf1698aa2313819a9f4f933a6def453146343f2d2556c9e3169981b62990d1487f0df12be699603a

Download Submit
C:\Windows\{2B878A8B-3D88-42d9-8A7F-8AC5FDFDF34D}.exe

Filesize
90KB

MD5
efa6a41a5446dda65f38defa3f237098

SHA1
a9fc805d86c2f2c8cf09c774832fcc32790acc63

SHA256
0d295f29fee224faf64727e3586af1afbad60666c49382bbf2927840be1edb68

SHA512
8a55a4d5c53d09b9339fe1b227c2281b4923f524d526e20e3aebd63ff2f0ef4beec10da0dcabd1f084b3a9162bf2ea542f9093229331a410c75b2cf6d22fd633

Download Submit
C:\Windows\{A7EF50A2-548D-4054-B0D8-54EE10E00B56}.exe

Filesize
90KB

MD5
90d3d7eb5bd0e14117578930027d07ba

SHA1
3dcb6a241af6e311dfa188c9b37758d9fe15cb0b

SHA256
9d58c86fb600f0a0abecc4b5f53f019eab748abc3193afa5b3ded0cac7738f24

SHA512
238fa645bec2760db292a8acd0aebdec5850747e606991c68b2cdcd84bbe9904162bb207345b8ecc19d16002aa54600a2543925f5d0047394976abd02e82e7ba

Download Submit
C:\Windows\{C4232B5A-DBA2-493e-9634-EA2840BDD039}.exe

Filesize
90KB

MD5
09de7660864db49fef49ec83c87ee2fa

SHA1
1fb6f615fe31503a8a47c45d56d6cd552c9e0bbc

SHA256
2a8f302af98e1f11e3191bb589174bae7bc390f7efc2d8649f81a3d379944c40

SHA512
c8c1cc3fedf35a785e99ffaf02d9c7f6e7720755e793d052d80d88570df1726a788336166cdb83f4c42afe723af7d33c910adb7dce27407c8fa349d54c9abd90

Download Submit
C:\Windows\{CF684263-3D3C-4cc5-8951-945C1A654834}.exe

Filesize
90KB

MD5
6309ae5b67d75a662a4bf7c131e2c395

SHA1
44de8ecac247f1a170a4b74961afe31082974943

SHA256
10ffab9002f64b7e709de301e21e5268a685caeca21d2f4bc51dbce7d7bde7b5

SHA512
440660e2060c430438d2e6d7cd480d26bbc0f6e7dbb3f25f3b641c107c0a2c4306548f8d064047da942b69e4dfabfffa9a6638d5fc91b7a884ef33d6c29c8cda

Download Submit
C:\Windows\{CF6FC0FA-0A07-404b-A07F-4D8E26B359DB}.exe

Filesize
90KB

MD5
71ee75ffdef08ae32a1d7ac554e33e66

SHA1
4b63ba8952978d821ffb47e8f310607e8a84e3e0

SHA256
9f3451051f52bef8202ab00454ff7d304a49358c924525d5ac26b068b753bc17

SHA512
4f16c3425888b8c0d671cae62bf4700c26986a2c331709c063376b37da2305e6dafa07d395242f77d9831d9b92d03aeda4302134c136f7def02cd218771f2414

Download Submit
C:\Windows\{EA233217-3A9C-40b2-A39E-4FBD01C6B5F9}.exe

Filesize
90KB

MD5
1b172dc9f3bb406c799e4d800b8cc213

SHA1
e27e954f4f74265d23b62d60abe884404f5ce4a6

SHA256
6916105371803f12762cd04f2505cb7bb3eeb6436e1c51db9796a54563e3b481

SHA512
5efb5bdd0e843c8aff1ed292e21d439e934edaa954668f95b1e230b9875c180109d144499bd4f927f68e1cf4d4bf8acefdabd97e15fa9b3e07827822d0a96a13

Download Submit
C:\Windows\{F5201C44-535C-4cc7-AE02-A8B506E20978}.exe

Filesize
90KB

MD5
aa383302f2d1adb168ea7d2f4b3b84d2

SHA1
98cd5571b190f7ffa199b831cdd1cc4c110a684f

SHA256
555578b77250262fb7414eea1dd7999f24f0000d3d6443eadac0f8669da56aa7

SHA512
efc580d81b64eddf422cab7a2a411950a6d1c440c50b07ee8cf18e798064c48b57305daa14ad1fc91732c7a4bd64916cd31bf60933f1c8ef827bd5529a3c92b5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads