bdf43f490193f57547964d62e9f27ccfac219559912805ac22da73ea09e043ec

Analysis

max time kernel
118s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 06:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a81b5870fe81d181d03f8566413ab6f0N.exe
Size

90KB
MD5

a81b5870fe81d181d03f8566413ab6f0
SHA1

1b542205410f8d014ca532b1211abcd58c0ce74e
SHA256

bdf43f490193f57547964d62e9f27ccfac219559912805ac22da73ea09e043ec
SHA512

d6c13bd2e1ceba9a5eef9aac1601edf2e4f5dfeb1754799d2f72ba31dbd87cf9f866ff1a536987f3fa699c3bb1aa31e4d9c89d4095bd2b78ece3da613d7f2183
SSDEEP

768:Qvw9816vhKQLroaL4/wQRNrfrunMxVFA3b7glw:YEGh0oaLl2unMxVS3Hg

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}	a81b5870fe81d181d03f8566413ab6f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA24597F-C741-439e-8561-C052C95441DC}	{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA24597F-C741-439e-8561-C052C95441DC}\stubpath = "C:\\Windows\\{CA24597F-C741-439e-8561-C052C95441DC}.exe"	{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}\stubpath = "C:\\Windows\\{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe"	{CA24597F-C741-439e-8561-C052C95441DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8E322AE-D768-4157-A08D-3AAB08412221}\stubpath = "C:\\Windows\\{F8E322AE-D768-4157-A08D-3AAB08412221}.exe"	{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}\stubpath = "C:\\Windows\\{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe"	a81b5870fe81d181d03f8566413ab6f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}	{CA24597F-C741-439e-8561-C052C95441DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB00B66C-0B00-4ec4-94AE-6E028158B84A}\stubpath = "C:\\Windows\\{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe"	{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29B68A63-CD46-49e9-A10F-61E6A616B240}	{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB00B66C-0B00-4ec4-94AE-6E028158B84A}	{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D9712DD-58B1-4fbe-8027-AF77EB99792D}	{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D9712DD-58B1-4fbe-8027-AF77EB99792D}\stubpath = "C:\\Windows\\{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe"	{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}\stubpath = "C:\\Windows\\{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe"	{577EB830-270A-43b4-B56E-571F8804AFAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29B68A63-CD46-49e9-A10F-61E6A616B240}\stubpath = "C:\\Windows\\{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe"	{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{577EB830-270A-43b4-B56E-571F8804AFAF}	{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{577EB830-270A-43b4-B56E-571F8804AFAF}\stubpath = "C:\\Windows\\{577EB830-270A-43b4-B56E-571F8804AFAF}.exe"	{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}	{577EB830-270A-43b4-B56E-571F8804AFAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8E322AE-D768-4157-A08D-3AAB08412221}	{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe

Executes dropped EXE 9 IoCs

pid	Process
2936	{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe
4756	{CA24597F-C741-439e-8561-C052C95441DC}.exe
3980	{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe
872	{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe
3188	{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe
2220	{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe
2756	{577EB830-270A-43b4-B56E-571F8804AFAF}.exe
4888	{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe
3016	{F8E322AE-D768-4157-A08D-3AAB08412221}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{577EB830-270A-43b4-B56E-571F8804AFAF}.exe	{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe
File created	C:\Windows\{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe	{577EB830-270A-43b4-B56E-571F8804AFAF}.exe
File created	C:\Windows\{CA24597F-C741-439e-8561-C052C95441DC}.exe	{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe
File created	C:\Windows\{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe	{CA24597F-C741-439e-8561-C052C95441DC}.exe
File created	C:\Windows\{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe	{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe
File created	C:\Windows\{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe	{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe
File created	C:\Windows\{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe	a81b5870fe81d181d03f8566413ab6f0N.exe
File created	C:\Windows\{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe	{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe
File created	C:\Windows\{F8E322AE-D768-4157-A08D-3AAB08412221}.exe	{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{577EB830-270A-43b4-B56E-571F8804AFAF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F8E322AE-D768-4157-A08D-3AAB08412221}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA24597F-C741-439e-8561-C052C95441DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a81b5870fe81d181d03f8566413ab6f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1152	a81b5870fe81d181d03f8566413ab6f0N.exe
Token: SeIncBasePriorityPrivilege	2936	{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe
Token: SeIncBasePriorityPrivilege	4756	{CA24597F-C741-439e-8561-C052C95441DC}.exe
Token: SeIncBasePriorityPrivilege	3980	{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe
Token: SeIncBasePriorityPrivilege	872	{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe
Token: SeIncBasePriorityPrivilege	3188	{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe
Token: SeIncBasePriorityPrivilege	2220	{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe
Token: SeIncBasePriorityPrivilege	2756	{577EB830-270A-43b4-B56E-571F8804AFAF}.exe
Token: SeIncBasePriorityPrivilege	4888	{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2936	1152	a81b5870fe81d181d03f8566413ab6f0N.exe	95
PID 1152 wrote to memory of 2936	1152	a81b5870fe81d181d03f8566413ab6f0N.exe	95
PID 1152 wrote to memory of 2936	1152	a81b5870fe81d181d03f8566413ab6f0N.exe	95
PID 1152 wrote to memory of 5028	1152	a81b5870fe81d181d03f8566413ab6f0N.exe	96
PID 1152 wrote to memory of 5028	1152	a81b5870fe81d181d03f8566413ab6f0N.exe	96
PID 1152 wrote to memory of 5028	1152	a81b5870fe81d181d03f8566413ab6f0N.exe	96
PID 2936 wrote to memory of 4756	2936	{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe	97
PID 2936 wrote to memory of 4756	2936	{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe	97
PID 2936 wrote to memory of 4756	2936	{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe	97
PID 2936 wrote to memory of 1284	2936	{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe	98
PID 2936 wrote to memory of 1284	2936	{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe	98
PID 2936 wrote to memory of 1284	2936	{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe	98
PID 4756 wrote to memory of 3980	4756	{CA24597F-C741-439e-8561-C052C95441DC}.exe	103
PID 4756 wrote to memory of 3980	4756	{CA24597F-C741-439e-8561-C052C95441DC}.exe	103
PID 4756 wrote to memory of 3980	4756	{CA24597F-C741-439e-8561-C052C95441DC}.exe	103
PID 4756 wrote to memory of 3992	4756	{CA24597F-C741-439e-8561-C052C95441DC}.exe	104
PID 4756 wrote to memory of 3992	4756	{CA24597F-C741-439e-8561-C052C95441DC}.exe	104
PID 4756 wrote to memory of 3992	4756	{CA24597F-C741-439e-8561-C052C95441DC}.exe	104
PID 3980 wrote to memory of 872	3980	{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe	105
PID 3980 wrote to memory of 872	3980	{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe	105
PID 3980 wrote to memory of 872	3980	{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe	105
PID 3980 wrote to memory of 2064	3980	{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe	106
PID 3980 wrote to memory of 2064	3980	{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe	106
PID 3980 wrote to memory of 2064	3980	{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe	106
PID 872 wrote to memory of 3188	872	{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe	107
PID 872 wrote to memory of 3188	872	{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe	107
PID 872 wrote to memory of 3188	872	{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe	107
PID 872 wrote to memory of 5040	872	{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe	108
PID 872 wrote to memory of 5040	872	{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe	108
PID 872 wrote to memory of 5040	872	{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe	108
PID 3188 wrote to memory of 2220	3188	{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe	110
PID 3188 wrote to memory of 2220	3188	{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe	110
PID 3188 wrote to memory of 2220	3188	{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe	110
PID 3188 wrote to memory of 1368	3188	{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe	111
PID 3188 wrote to memory of 1368	3188	{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe	111
PID 3188 wrote to memory of 1368	3188	{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe	111
PID 2220 wrote to memory of 2756	2220	{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe	112
PID 2220 wrote to memory of 2756	2220	{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe	112
PID 2220 wrote to memory of 2756	2220	{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe	112
PID 2220 wrote to memory of 1644	2220	{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe	113
PID 2220 wrote to memory of 1644	2220	{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe	113
PID 2220 wrote to memory of 1644	2220	{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe	113
PID 2756 wrote to memory of 4888	2756	{577EB830-270A-43b4-B56E-571F8804AFAF}.exe	117
PID 2756 wrote to memory of 4888	2756	{577EB830-270A-43b4-B56E-571F8804AFAF}.exe	117
PID 2756 wrote to memory of 4888	2756	{577EB830-270A-43b4-B56E-571F8804AFAF}.exe	117
PID 2756 wrote to memory of 4300	2756	{577EB830-270A-43b4-B56E-571F8804AFAF}.exe	118
PID 2756 wrote to memory of 4300	2756	{577EB830-270A-43b4-B56E-571F8804AFAF}.exe	118
PID 2756 wrote to memory of 4300	2756	{577EB830-270A-43b4-B56E-571F8804AFAF}.exe	118
PID 4888 wrote to memory of 3016	4888	{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe	122
PID 4888 wrote to memory of 3016	4888	{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe	122
PID 4888 wrote to memory of 3016	4888	{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe	122
PID 4888 wrote to memory of 408	4888	{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe	123
PID 4888 wrote to memory of 408	4888	{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe	123
PID 4888 wrote to memory of 408	4888	{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe	123

C:\Users\Admin\AppData\Local\Temp\a81b5870fe81d181d03f8566413ab6f0N.exe
"C:\Users\Admin\AppData\Local\Temp\a81b5870fe81d181d03f8566413ab6f0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe
  C:\Windows\{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\{CA24597F-C741-439e-8561-C052C95441DC}.exe
    C:\Windows\{CA24597F-C741-439e-8561-C052C95441DC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe
      C:\Windows\{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe
        
        C:\Windows\{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
      - C:\Windows\{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe
        
        C:\Windows\{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe
        
        C:\Windows\{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\{577EB830-270A-43b4-B56E-571F8804AFAF}.exe
        
        C:\Windows\{577EB830-270A-43b4-B56E-571F8804AFAF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe
        
        C:\Windows\{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\{F8E322AE-D768-4157-A08D-3AAB08412221}.exe
        
        C:\Windows\{F8E322AE-D768-4157-A08D-3AAB08412221}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E3F8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{577EB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29B68~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D971~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB00B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10D30~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CA245~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1E545~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A81B58~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D9712DD-58B1-4fbe-8027-AF77EB99792D}.exe

Filesize
90KB

MD5
7e370e879de4fb0b189fe0f07d50d7a3

SHA1
64f1575814e637fe6f1476c925209ef93ca358b2

SHA256
858b634dd81288a25eef3d7f6973fa10b806179ab963fbac4ae1bb52e562f953

SHA512
cffdebc24bf21c36f08dd9c65e4f577c70a561d0ec736f131ab14e6f868dd053068540b935090deedb252397372331baed6f4af8f99e66949d2ffc037ba26175

Download Submit
C:\Windows\{10D30FEF-BAFF-4d7a-B4CA-A07F0DE98436}.exe

Filesize
90KB

MD5
ccd536a5c3466a35bbcb95671c8cc009

SHA1
c1454238339c20aaf5e3f3941b32ee41dd569d9b

SHA256
bb51f2ea70f73e81589a1adedbb0c1f5e04df2e35443b902ee301741c7929eae

SHA512
9c4afaaadbb219725d26c5b14b833ca796c1fb7abbe85b39cb3b9da9353659148c312a73311f99d8fcf9e37275e0b64940cf89974f4de5681539802958959d13

Download Submit
C:\Windows\{1E3F8FBF-C413-45d9-A5C4-C82EFA1A7698}.exe

Filesize
90KB

MD5
51f2a27e2bd4ca6f7530e01d4a85cc22

SHA1
51466127131ca57a6ce0d96ca74de0039710c4d8

SHA256
f779e2a9eabcb9c87954c2e45861ee601bdd78a4e87029e2a2f271cb8c295cd6

SHA512
5c83403eb9316d16ab1bedf2711fbdc0dcb6ad3cdd09c66f5240b8f8e3abd2968a23739c2a3a0a0cf5b54166b28469317c005a9da0bb70bb42fdf08a66981b7f

Download Submit
C:\Windows\{1E545DA5-8EAB-43ce-8B1C-B902B5912C02}.exe

Filesize
90KB

MD5
104bd9eef0cea4a37bc2acd8a34c68aa

SHA1
108ad8a597500a2e6de89898cb823a1b3c134569

SHA256
b9c094e903ee528cc95bc0a1e6e50df6ae28ed4bcedbec14afa07fd01d65eab5

SHA512
615a2b2de5bbe3b98c973aecdcbe7b245c35791fcae385236def3076aced68ce7f15708a3f4f67f11801a0abb95c76664ab5f5112240b74b8f7f2dd37a8725e6

Download Submit
C:\Windows\{29B68A63-CD46-49e9-A10F-61E6A616B240}.exe

Filesize
90KB

MD5
779cac248dd908b24e9a51d4e128d8c0

SHA1
2eab85ded6b40c7c07f329adeb128f6f72bff9b2

SHA256
3597831039fd9f27ed9dbbf81235865e25351e4b17c26d4d548add2710365c7a

SHA512
0937a6efb77f98a82224d7f5d0f083fce430ce1ababd39c06c29046b3322da432d386de34a1bd1e7edd690b6281cf3249dacd5ca2e0077aa57886dbba8fe0813

Download Submit
C:\Windows\{577EB830-270A-43b4-B56E-571F8804AFAF}.exe

Filesize
90KB

MD5
872bbc0e67fdbb1270243432dec7f0dc

SHA1
f73b910fe810ae21e7f0567d404cb9461ac2f1fb

SHA256
ccaecde0298de0cb6751ae19d615eb64d98efbdf71d5223fb74617e4b9cca089

SHA512
fa522b2110d8981e548c0a10c06d09cff7b5ce53b96e7ea887e6f2ae4174ed941e377a2c079cf61eea2c1fe33ea72b3edddf15d2ebffd9b9c49f0094a5660c8b

Download Submit
C:\Windows\{CA24597F-C741-439e-8561-C052C95441DC}.exe

Filesize
90KB

MD5
a833575c059354cc98d5188e96d43362

SHA1
1b5a6c4dced9fe030587b0a14feece4f18a70506

SHA256
1718471708675e9a67279cd8c00a4a92b926ffcea81728f20af684873ffbb59a

SHA512
ac64a067b8cb11d7a052c3aa81c4a19f9267c610669aade05739a1940069bb46786c8805ffb94b8e719aec314713fea9ce67d0525c7ca468294a77d11a123745

Download Submit
C:\Windows\{DB00B66C-0B00-4ec4-94AE-6E028158B84A}.exe

Filesize
90KB

MD5
a4f7376380358201041a0e405479e66c

SHA1
93ad0ed0ca285b94f4217ed7925294197413deb4

SHA256
49641fe896b0d995d43bb3783c27cd171c9cc8e5753ad5b0350dcd5e3a0266ca

SHA512
0f3435ebf352b570c0a0f8bc1f86aa9f284f58061dd317701f3b329237362d3559781af2561850a37bb2a51a059a949302d34fe33a75486057fd695c9c74f859

Download Submit
C:\Windows\{F8E322AE-D768-4157-A08D-3AAB08412221}.exe

Filesize
90KB

MD5
8e561ae75b4c9a8a5f650652b15150d8

SHA1
b26fe18542e7aa0e04b6c7cde2f74ae422d2f684

SHA256
d84ea6b21f5bd5a4402d63d01190824f2258f4f10452c1c5cb210ee5340e7722

SHA512
37b20dc7742219b0982c51a08fdfc180599b61a0b7d9679a62931042ed70459c06e5c844d1b16dfdcea950abe554692ed6c29e98cf4bf18a86fbe44fab3e5fbf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads