28f975742af2f6fb6e2a27f397c758c37867583d1c85df1be90c087c9527db7d

Analysis

max time kernel
118s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cf8a1a3520dbcc70de50b0d990e9e60N.exe
Size

83KB
MD5

3cf8a1a3520dbcc70de50b0d990e9e60
SHA1

687b5dce5900de470c3a4610ae924db2faccbde0
SHA256

28f975742af2f6fb6e2a27f397c758c37867583d1c85df1be90c087c9527db7d
SHA512

dbba31211ee177fd93ea0826a4b45f9c913ff3c80494b79378a4ba04510d34b0b2388cc493c28e72afc32df656afeafbaf4e82488811b18ac35a81efd547b50c
SSDEEP

1536:q4Gh0o4jl0p3nouy8QbunMxVS3HgdoKjhLJh731xvsr:q4Gh0o4505outQCMUyNjhLJh731xvsr

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94921937-1854-4902-8DFB-14E35A64DEE8}	{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}	{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}\stubpath = "C:\\Windows\\{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe"	{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A250AED5-3DCB-470e-966C-D8B32F09892B}	{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94921937-1854-4902-8DFB-14E35A64DEE8}\stubpath = "C:\\Windows\\{94921937-1854-4902-8DFB-14E35A64DEE8}.exe"	{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BE785D3-9355-4bc9-9244-E8AB6893C08B}\stubpath = "C:\\Windows\\{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe"	{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C296F542-374D-4173-9E58-3E33A1C59446}\stubpath = "C:\\Windows\\{C296F542-374D-4173-9E58-3E33A1C59446}.exe"	3cf8a1a3520dbcc70de50b0d990e9e60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4707AF13-A949-442d-B7E0-AB542AAE5827}	{C296F542-374D-4173-9E58-3E33A1C59446}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}	{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED01ACBD-B213-4154-9573-BC9644B2323C}\stubpath = "C:\\Windows\\{ED01ACBD-B213-4154-9573-BC9644B2323C}.exe"	{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C296F542-374D-4173-9E58-3E33A1C59446}	3cf8a1a3520dbcc70de50b0d990e9e60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A250AED5-3DCB-470e-966C-D8B32F09892B}\stubpath = "C:\\Windows\\{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe"	{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B338EC21-1B51-41a9-8F6F-364B57F44795}	{94921937-1854-4902-8DFB-14E35A64DEE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B338EC21-1B51-41a9-8F6F-364B57F44795}\stubpath = "C:\\Windows\\{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe"	{94921937-1854-4902-8DFB-14E35A64DEE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BE785D3-9355-4bc9-9244-E8AB6893C08B}	{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}\stubpath = "C:\\Windows\\{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe"	{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED01ACBD-B213-4154-9573-BC9644B2323C}	{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4707AF13-A949-442d-B7E0-AB542AAE5827}\stubpath = "C:\\Windows\\{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe"	{C296F542-374D-4173-9E58-3E33A1C59446}.exe

Executes dropped EXE 9 IoCs

pid	Process
1036	{C296F542-374D-4173-9E58-3E33A1C59446}.exe
4896	{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe
1200	{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe
3360	{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe
2692	{94921937-1854-4902-8DFB-14E35A64DEE8}.exe
4236	{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe
2036	{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe
3012	{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe
1612	{ED01ACBD-B213-4154-9573-BC9644B2323C}.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4252-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4252-1-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x00070000000234d2-4.dat	upx
behavioral2/memory/1036-5-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4252-7-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1036-8-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1036-13-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x00120000000234cd-11.dat	upx
behavioral2/memory/4896-14-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4896-15-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000e000000023420-16.dat	upx
behavioral2/memory/4896-18-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1200-20-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1200-22-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x00130000000234cd-26.dat	upx
behavioral2/memory/1200-27-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3360-28-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3360-29-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2692-35-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000f000000023420-33.dat	upx
behavioral2/memory/3360-34-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2692-36-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2692-40-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4236-42-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x00150000000234cd-41.dat	upx
behavioral2/memory/4236-43-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0010000000023420-46.dat	upx
behavioral2/memory/4236-48-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2036-47-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2036-50-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x00070000000234e8-53.dat	upx
behavioral2/memory/3012-55-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2036-54-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3012-57-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3012-62-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1612-63-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000e0000000006cf-61.dat	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe	{94921937-1854-4902-8DFB-14E35A64DEE8}.exe
File created	C:\Windows\{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe	{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe
File created	C:\Windows\{94921937-1854-4902-8DFB-14E35A64DEE8}.exe	{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe
File created	C:\Windows\{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe	{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe
File created	C:\Windows\{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe	{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe
File created	C:\Windows\{ED01ACBD-B213-4154-9573-BC9644B2323C}.exe	{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe
File created	C:\Windows\{C296F542-374D-4173-9E58-3E33A1C59446}.exe	3cf8a1a3520dbcc70de50b0d990e9e60N.exe
File created	C:\Windows\{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe	{C296F542-374D-4173-9E58-3E33A1C59446}.exe
File created	C:\Windows\{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe	{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C296F542-374D-4173-9E58-3E33A1C59446}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94921937-1854-4902-8DFB-14E35A64DEE8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ED01ACBD-B213-4154-9573-BC9644B2323C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cf8a1a3520dbcc70de50b0d990e9e60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4252	3cf8a1a3520dbcc70de50b0d990e9e60N.exe
Token: SeIncBasePriorityPrivilege	1036	{C296F542-374D-4173-9E58-3E33A1C59446}.exe
Token: SeIncBasePriorityPrivilege	4896	{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe
Token: SeIncBasePriorityPrivilege	1200	{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe
Token: SeIncBasePriorityPrivilege	3360	{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe
Token: SeIncBasePriorityPrivilege	2692	{94921937-1854-4902-8DFB-14E35A64DEE8}.exe
Token: SeIncBasePriorityPrivilege	4236	{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe
Token: SeIncBasePriorityPrivilege	2036	{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe
Token: SeIncBasePriorityPrivilege	3012	{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 1036	4252	3cf8a1a3520dbcc70de50b0d990e9e60N.exe	95
PID 4252 wrote to memory of 1036	4252	3cf8a1a3520dbcc70de50b0d990e9e60N.exe	95
PID 4252 wrote to memory of 1036	4252	3cf8a1a3520dbcc70de50b0d990e9e60N.exe	95
PID 4252 wrote to memory of 4460	4252	3cf8a1a3520dbcc70de50b0d990e9e60N.exe	96
PID 4252 wrote to memory of 4460	4252	3cf8a1a3520dbcc70de50b0d990e9e60N.exe	96
PID 4252 wrote to memory of 4460	4252	3cf8a1a3520dbcc70de50b0d990e9e60N.exe	96
PID 1036 wrote to memory of 4896	1036	{C296F542-374D-4173-9E58-3E33A1C59446}.exe	97
PID 1036 wrote to memory of 4896	1036	{C296F542-374D-4173-9E58-3E33A1C59446}.exe	97
PID 1036 wrote to memory of 4896	1036	{C296F542-374D-4173-9E58-3E33A1C59446}.exe	97
PID 1036 wrote to memory of 3376	1036	{C296F542-374D-4173-9E58-3E33A1C59446}.exe	98
PID 1036 wrote to memory of 3376	1036	{C296F542-374D-4173-9E58-3E33A1C59446}.exe	98
PID 1036 wrote to memory of 3376	1036	{C296F542-374D-4173-9E58-3E33A1C59446}.exe	98
PID 4896 wrote to memory of 1200	4896	{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe	102
PID 4896 wrote to memory of 1200	4896	{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe	102
PID 4896 wrote to memory of 1200	4896	{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe	102
PID 4896 wrote to memory of 4968	4896	{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe	103
PID 4896 wrote to memory of 4968	4896	{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe	103
PID 4896 wrote to memory of 4968	4896	{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe	103
PID 1200 wrote to memory of 3360	1200	{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe	104
PID 1200 wrote to memory of 3360	1200	{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe	104
PID 1200 wrote to memory of 3360	1200	{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe	104
PID 1200 wrote to memory of 4580	1200	{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe	105
PID 1200 wrote to memory of 4580	1200	{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe	105
PID 1200 wrote to memory of 4580	1200	{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe	105
PID 3360 wrote to memory of 2692	3360	{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe	106
PID 3360 wrote to memory of 2692	3360	{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe	106
PID 3360 wrote to memory of 2692	3360	{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe	106
PID 3360 wrote to memory of 1840	3360	{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe	107
PID 3360 wrote to memory of 1840	3360	{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe	107
PID 3360 wrote to memory of 1840	3360	{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe	107
PID 2692 wrote to memory of 4236	2692	{94921937-1854-4902-8DFB-14E35A64DEE8}.exe	109
PID 2692 wrote to memory of 4236	2692	{94921937-1854-4902-8DFB-14E35A64DEE8}.exe	109
PID 2692 wrote to memory of 4236	2692	{94921937-1854-4902-8DFB-14E35A64DEE8}.exe	109
PID 2692 wrote to memory of 3328	2692	{94921937-1854-4902-8DFB-14E35A64DEE8}.exe	110
PID 2692 wrote to memory of 3328	2692	{94921937-1854-4902-8DFB-14E35A64DEE8}.exe	110
PID 2692 wrote to memory of 3328	2692	{94921937-1854-4902-8DFB-14E35A64DEE8}.exe	110
PID 4236 wrote to memory of 2036	4236	{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe	111
PID 4236 wrote to memory of 2036	4236	{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe	111
PID 4236 wrote to memory of 2036	4236	{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe	111
PID 4236 wrote to memory of 2184	4236	{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe	112
PID 4236 wrote to memory of 2184	4236	{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe	112
PID 4236 wrote to memory of 2184	4236	{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe	112
PID 2036 wrote to memory of 3012	2036	{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe	117
PID 2036 wrote to memory of 3012	2036	{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe	117
PID 2036 wrote to memory of 3012	2036	{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe	117
PID 2036 wrote to memory of 3688	2036	{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe	118
PID 2036 wrote to memory of 3688	2036	{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe	118
PID 2036 wrote to memory of 3688	2036	{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe	118
PID 3012 wrote to memory of 1612	3012	{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe	123
PID 3012 wrote to memory of 1612	3012	{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe	123
PID 3012 wrote to memory of 1612	3012	{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe	123
PID 3012 wrote to memory of 1420	3012	{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe	124
PID 3012 wrote to memory of 1420	3012	{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe	124
PID 3012 wrote to memory of 1420	3012	{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe	124

C:\Users\Admin\AppData\Local\Temp\3cf8a1a3520dbcc70de50b0d990e9e60N.exe
"C:\Users\Admin\AppData\Local\Temp\3cf8a1a3520dbcc70de50b0d990e9e60N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\{C296F542-374D-4173-9E58-3E33A1C59446}.exe
  C:\Windows\{C296F542-374D-4173-9E58-3E33A1C59446}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe
    C:\Windows\{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe
      C:\Windows\{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Windows\{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe
        
        C:\Windows\{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Windows\{94921937-1854-4902-8DFB-14E35A64DEE8}.exe
        
        C:\Windows\{94921937-1854-4902-8DFB-14E35A64DEE8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe
        
        C:\Windows\{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe
        
        C:\Windows\{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe
        
        C:\Windows\{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{ED01ACBD-B213-4154-9573-BC9644B2323C}.exe
        
        C:\Windows\{ED01ACBD-B213-4154-9573-BC9644B2323C}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECF1D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BE78~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B338E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94921~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FC03~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A250A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4707A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C296F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3CF8A1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1BE785D3-9355-4bc9-9244-E8AB6893C08B}.exe

Filesize
83KB

MD5
e13926abeb7c14e61174c1ad57bdb562

SHA1
2bd5304487b5c76e4f072c44f6d8b187102a08a4

SHA256
4d39837a2dde3b92eea4a46130727c7cc9a5cb5899233eade8bd112a5b34e49f

SHA512
e5f2732c06797cfe9092fb75c12309fe8e90b5c58a92895ffc45d5ee0e5ba64fb3651e3b9d0526e92445507fbd849e1dd88e69361005951b856f56691694108f

Download Submit
C:\Windows\{4707AF13-A949-442d-B7E0-AB542AAE5827}.exe

Filesize
83KB

MD5
9f79fa4bc1bc64d91b4ac6a287aac5f7

SHA1
89de2a4b0c9f92f5d20d95bbbbe0ac6747214e56

SHA256
57ad506ffcad257556bada6bb2c24fd9bf103c9efe966db6baae45dc3e4ad883

SHA512
2da8a83a63fd1e4fe45c8ce0a07723c9b07f920e07a20fd9cd15ee342adeddd663508060a38b4b6e7ec9b96cd309a4eef349d7057721125a74667cd9530161b4

Download Submit
C:\Windows\{5FC03E5D-C14F-4093-93CF-01BCB5FCC0E6}.exe

Filesize
83KB

MD5
6f2cd486895faa1821cbc78a4db31e96

SHA1
47544be1d139c0b41ebab10e8b1130c79058dcf6

SHA256
0b57ce03dfb25f4f7802abc1c73a2dc79b240e6bc8473fbf636f533bbee7cd3d

SHA512
5ad63ff1c728948480fa2937de9deffb562607ba8be086fa759f293acd6fd8137939833a5dfe305bc2723a261d0760c38aad915d29a7fc0ab367378151ea756b

Download Submit
C:\Windows\{94921937-1854-4902-8DFB-14E35A64DEE8}.exe

Filesize
83KB

MD5
5c70e5abea5dd0d82cae4f213363346a

SHA1
753e1053033d1c8865ff732c2049d8d512835f90

SHA256
990b1a3759a293df9eda9facfa00b163a2c3b6900b766c6dfbffe8d438d4032e

SHA512
f0d4eed58077734a059a1774c971398f355d6f5c4168db87ec636867208bb04731c7ed82f24a82fd1c1a55a8d7e0140665e73b637f672d620eb752a98c02e922

Download Submit
C:\Windows\{A250AED5-3DCB-470e-966C-D8B32F09892B}.exe

Filesize
83KB

MD5
9132752806c3bfcb5ea6364a24548a31

SHA1
7ef98ddf7ebf7067604d3854991d35ecc4eaa08c

SHA256
b5cc4846a1214474c67677cb6d5343d0ba418ed689cdf33d024a57c381062f1a

SHA512
b44b21ed9a98643f62fd46b13274718eb9bb3fd42bc99f06f26dfe9cbc8798b1f3e528f823516348a8b5b6be2aa506f46b4a8c2b7d80c33bab77fe6857c3a337

Download Submit
C:\Windows\{B338EC21-1B51-41a9-8F6F-364B57F44795}.exe

Filesize
83KB

MD5
4008d1d5f2c484c95af90f20ff220b6a

SHA1
2fc76a9afd34d04b6588b8f411ac935df320b2f1

SHA256
8a60e676d41214d39305fe11baf5feaaa98d3b450773f772015cd2345bbbd6ca

SHA512
b0edd86e49c2562e70ab444b2b6c8b75f9473b268610ef19e68b4757ab18b4ac19a7d515a60ac518a2391f3f0f56cf3c3675556ec0eee474c48564fc594938bc

Download Submit
C:\Windows\{C296F542-374D-4173-9E58-3E33A1C59446}.exe

Filesize
83KB

MD5
ef10a5dc701b8cd394661f9049998113

SHA1
7aaa549842bd74663eca93f6303262342422d5ff

SHA256
ae6e69ec81741d796d14a2b37dc9c5cd284ca65d7b983821571d4a03799e5dc3

SHA512
970ca48d1160803d0d7b011bac02cd2f49ecf6496efaff07ad745cd9598b14278b7c24bd94afefd21b543132ee098428e77f62918726c5239506cec28a5333c5

Download Submit
C:\Windows\{ECF1D9DB-4449-4468-B008-DBB0A6B78F67}.exe

Filesize
83KB

MD5
baacb028fbcbbb37aefe38bc8c921f5e

SHA1
b4a3c1c8a4193e777e68ccbdb64f273d43f87ae4

SHA256
07867f6e87b3b9d21991b0b1b9cb20a1eb71d07db7baf1cf45642a45b5a2adce

SHA512
40f02b27eab33c2341fdf4ebe35706cd16fe118f995ab82b743df02ae25d0a3090d5d27057af005f9c50d8f8634f8204e3c110c1a649f3769f3560c785827702

Download Submit
C:\Windows\{ED01ACBD-B213-4154-9573-BC9644B2323C}.exe

Filesize
83KB

MD5
a3325742ab194077d81a03e13eea53a0

SHA1
640011820bb2af75299bad11c954ffdf4d20a87a

SHA256
c797b981bf103135c9b12345fe81d189801892a7a5f91df987443487826ce922

SHA512
7039220b2f075445c2e18e7782b2dc2e6b4e8a9d7063dcddc6f2c7037db784bfa8923a859cadde208596692db6094bd1439aca1c2c1525aa22a97921d1c8220f

Download Submit
memory/1036-5-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1036-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1036-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1200-27-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1200-20-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1200-22-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1612-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2036-50-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2036-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2036-47-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2692-36-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2692-35-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2692-40-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3012-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3012-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3012-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3360-34-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3360-29-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3360-28-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4236-48-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4236-43-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4236-42-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4252-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4252-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4252-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4896-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads