9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
Size

91KB
MD5

6aaa82a1a35c888202a679ac95600143
SHA1

eedffc86062dbea12402bc12f7a421c3e0eeb688
SHA256

9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973
SHA512

f2e354120f5737297c6a2bb592b31bc5a851cedfc23e61bf4208b8c9dd3e68d7cf3c69647a25ffdf222d29aa83c7d01ae75c64ea4350fc402711ce0f31466d13
SSDEEP

768:5vw9816uhKiroZ4/wQNNrfrunMxVFA3b7t:lEGkmoZlCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E431DE7-FF80-4c94-A096-90D6447F3DF8}\stubpath = "C:\\Windows\\{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe"	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3227657-87F7-40f3-975A-CAE4594E98EA}	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE29898A-A886-4382-BA87-2D93FD567182}\stubpath = "C:\\Windows\\{EE29898A-A886-4382-BA87-2D93FD567182}.exe"	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FE52858-9F27-4dc4-810F-5B997D693151}\stubpath = "C:\\Windows\\{8FE52858-9F27-4dc4-810F-5B997D693151}.exe"	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3227657-87F7-40f3-975A-CAE4594E98EA}\stubpath = "C:\\Windows\\{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe"	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FE52858-9F27-4dc4-810F-5B997D693151}	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2375C4D5-44D2-4cd2-BEC2-091BC0A3CB31}	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9478CED3-E4FC-45af-ABC5-9EED25730B62}\stubpath = "C:\\Windows\\{9478CED3-E4FC-45af-ABC5-9EED25730B62}.exe"	{8A805BDF-90DD-4d16-9D64-34714345E3C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{736AC8C6-3DE7-4031-BF9A-41CD03201B29}\stubpath = "C:\\Windows\\{736AC8C6-3DE7-4031-BF9A-41CD03201B29}.exe"	{9478CED3-E4FC-45af-ABC5-9EED25730B62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E431DE7-FF80-4c94-A096-90D6447F3DF8}	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}\stubpath = "C:\\Windows\\{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe"	{EE29898A-A886-4382-BA87-2D93FD567182}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2375C4D5-44D2-4cd2-BEC2-091BC0A3CB31}\stubpath = "C:\\Windows\\{2375C4D5-44D2-4cd2-BEC2-091BC0A3CB31}.exe"	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A805BDF-90DD-4d16-9D64-34714345E3C7}	{2375C4D5-44D2-4cd2-BEC2-091BC0A3CB31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}\stubpath = "C:\\Windows\\{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe"	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1839B27B-C558-4c85-9696-B9FF19062A43}	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1839B27B-C558-4c85-9696-B9FF19062A43}\stubpath = "C:\\Windows\\{1839B27B-C558-4c85-9696-B9FF19062A43}.exe"	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE29898A-A886-4382-BA87-2D93FD567182}	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}	{EE29898A-A886-4382-BA87-2D93FD567182}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A805BDF-90DD-4d16-9D64-34714345E3C7}\stubpath = "C:\\Windows\\{8A805BDF-90DD-4d16-9D64-34714345E3C7}.exe"	{2375C4D5-44D2-4cd2-BEC2-091BC0A3CB31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9478CED3-E4FC-45af-ABC5-9EED25730B62}	{8A805BDF-90DD-4d16-9D64-34714345E3C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{736AC8C6-3DE7-4031-BF9A-41CD03201B29}	{9478CED3-E4FC-45af-ABC5-9EED25730B62}.exe

Deletes itself 1 IoCs

pid	Process
620	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2416	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe
2828	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe
2912	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe
2632	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe
664	{EE29898A-A886-4382-BA87-2D93FD567182}.exe
2436	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe
2872	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe
2976	{2375C4D5-44D2-4cd2-BEC2-091BC0A3CB31}.exe
2156	{8A805BDF-90DD-4d16-9D64-34714345E3C7}.exe
3016	{9478CED3-E4FC-45af-ABC5-9EED25730B62}.exe
1080	{736AC8C6-3DE7-4031-BF9A-41CD03201B29}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1839B27B-C558-4c85-9696-B9FF19062A43}.exe	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe
File created	C:\Windows\{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe
File created	C:\Windows\{EE29898A-A886-4382-BA87-2D93FD567182}.exe	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe
File created	C:\Windows\{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe	{EE29898A-A886-4382-BA87-2D93FD567182}.exe
File created	C:\Windows\{8FE52858-9F27-4dc4-810F-5B997D693151}.exe	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe
File created	C:\Windows\{8A805BDF-90DD-4d16-9D64-34714345E3C7}.exe	{2375C4D5-44D2-4cd2-BEC2-091BC0A3CB31}.exe
File created	C:\Windows\{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
File created	C:\Windows\{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe
File created	C:\Windows\{2375C4D5-44D2-4cd2-BEC2-091BC0A3CB31}.exe	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe
File created	C:\Windows\{9478CED3-E4FC-45af-ABC5-9EED25730B62}.exe	{8A805BDF-90DD-4d16-9D64-34714345E3C7}.exe
File created	C:\Windows\{736AC8C6-3DE7-4031-BF9A-41CD03201B29}.exe	{9478CED3-E4FC-45af-ABC5-9EED25730B62}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9478CED3-E4FC-45af-ABC5-9EED25730B62}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2375C4D5-44D2-4cd2-BEC2-091BC0A3CB31}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE29898A-A886-4382-BA87-2D93FD567182}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A805BDF-90DD-4d16-9D64-34714345E3C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{736AC8C6-3DE7-4031-BF9A-41CD03201B29}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2032	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
Token: SeIncBasePriorityPrivilege	2416	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe
Token: SeIncBasePriorityPrivilege	2828	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe
Token: SeIncBasePriorityPrivilege	2912	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe
Token: SeIncBasePriorityPrivilege	2632	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe
Token: SeIncBasePriorityPrivilege	664	{EE29898A-A886-4382-BA87-2D93FD567182}.exe
Token: SeIncBasePriorityPrivilege	2436	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe
Token: SeIncBasePriorityPrivilege	2872	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe
Token: SeIncBasePriorityPrivilege	2976	{2375C4D5-44D2-4cd2-BEC2-091BC0A3CB31}.exe
Token: SeIncBasePriorityPrivilege	2156	{8A805BDF-90DD-4d16-9D64-34714345E3C7}.exe
Token: SeIncBasePriorityPrivilege	3016	{9478CED3-E4FC-45af-ABC5-9EED25730B62}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2416	2032	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	31
PID 2032 wrote to memory of 2416	2032	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	31
PID 2032 wrote to memory of 2416	2032	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	31
PID 2032 wrote to memory of 2416	2032	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	31
PID 2032 wrote to memory of 620	2032	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	32
PID 2032 wrote to memory of 620	2032	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	32
PID 2032 wrote to memory of 620	2032	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	32
PID 2032 wrote to memory of 620	2032	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	32
PID 2416 wrote to memory of 2828	2416	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe	33
PID 2416 wrote to memory of 2828	2416	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe	33
PID 2416 wrote to memory of 2828	2416	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe	33
PID 2416 wrote to memory of 2828	2416	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe	33
PID 2416 wrote to memory of 2856	2416	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe	34
PID 2416 wrote to memory of 2856	2416	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe	34
PID 2416 wrote to memory of 2856	2416	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe	34
PID 2416 wrote to memory of 2856	2416	{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe	34
PID 2828 wrote to memory of 2912	2828	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe	35
PID 2828 wrote to memory of 2912	2828	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe	35
PID 2828 wrote to memory of 2912	2828	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe	35
PID 2828 wrote to memory of 2912	2828	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe	35
PID 2828 wrote to memory of 1684	2828	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe	36
PID 2828 wrote to memory of 1684	2828	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe	36
PID 2828 wrote to memory of 1684	2828	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe	36
PID 2828 wrote to memory of 1684	2828	{1839B27B-C558-4c85-9696-B9FF19062A43}.exe	36
PID 2912 wrote to memory of 2632	2912	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe	37
PID 2912 wrote to memory of 2632	2912	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe	37
PID 2912 wrote to memory of 2632	2912	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe	37
PID 2912 wrote to memory of 2632	2912	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe	37
PID 2912 wrote to memory of 2700	2912	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe	38
PID 2912 wrote to memory of 2700	2912	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe	38
PID 2912 wrote to memory of 2700	2912	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe	38
PID 2912 wrote to memory of 2700	2912	{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe	38
PID 2632 wrote to memory of 664	2632	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe	39
PID 2632 wrote to memory of 664	2632	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe	39
PID 2632 wrote to memory of 664	2632	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe	39
PID 2632 wrote to memory of 664	2632	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe	39
PID 2632 wrote to memory of 2372	2632	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe	40
PID 2632 wrote to memory of 2372	2632	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe	40
PID 2632 wrote to memory of 2372	2632	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe	40
PID 2632 wrote to memory of 2372	2632	{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe	40
PID 664 wrote to memory of 2436	664	{EE29898A-A886-4382-BA87-2D93FD567182}.exe	41
PID 664 wrote to memory of 2436	664	{EE29898A-A886-4382-BA87-2D93FD567182}.exe	41
PID 664 wrote to memory of 2436	664	{EE29898A-A886-4382-BA87-2D93FD567182}.exe	41
PID 664 wrote to memory of 2436	664	{EE29898A-A886-4382-BA87-2D93FD567182}.exe	41
PID 664 wrote to memory of 1852	664	{EE29898A-A886-4382-BA87-2D93FD567182}.exe	42
PID 664 wrote to memory of 1852	664	{EE29898A-A886-4382-BA87-2D93FD567182}.exe	42
PID 664 wrote to memory of 1852	664	{EE29898A-A886-4382-BA87-2D93FD567182}.exe	42
PID 664 wrote to memory of 1852	664	{EE29898A-A886-4382-BA87-2D93FD567182}.exe	42
PID 2436 wrote to memory of 2872	2436	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe	43
PID 2436 wrote to memory of 2872	2436	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe	43
PID 2436 wrote to memory of 2872	2436	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe	43
PID 2436 wrote to memory of 2872	2436	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe	43
PID 2436 wrote to memory of 2920	2436	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe	44
PID 2436 wrote to memory of 2920	2436	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe	44
PID 2436 wrote to memory of 2920	2436	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe	44
PID 2436 wrote to memory of 2920	2436	{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe	44
PID 2872 wrote to memory of 2976	2872	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe	45
PID 2872 wrote to memory of 2976	2872	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe	45
PID 2872 wrote to memory of 2976	2872	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe	45
PID 2872 wrote to memory of 2976	2872	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe	45
PID 2872 wrote to memory of 2960	2872	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe	46
PID 2872 wrote to memory of 2960	2872	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe	46
PID 2872 wrote to memory of 2960	2872	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe	46
PID 2872 wrote to memory of 2960	2872	{8FE52858-9F27-4dc4-810F-5B997D693151}.exe	46

C:\Users\Admin\AppData\Local\Temp\9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
"C:\Users\Admin\AppData\Local\Temp\9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe
  C:\Windows\{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\{1839B27B-C558-4c85-9696-B9FF19062A43}.exe
    C:\Windows\{1839B27B-C558-4c85-9696-B9FF19062A43}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe
      C:\Windows\{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe
        
        C:\Windows\{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\{EE29898A-A886-4382-BA87-2D93FD567182}.exe
        
        C:\Windows\{EE29898A-A886-4382-BA87-2D93FD567182}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe
        
        C:\Windows\{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\{8FE52858-9F27-4dc4-810F-5B997D693151}.exe
        
        C:\Windows\{8FE52858-9F27-4dc4-810F-5B997D693151}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{2375C4D5-44D2-4cd2-BEC2-091BC0A3CB31}.exe
        
        C:\Windows\{2375C4D5-44D2-4cd2-BEC2-091BC0A3CB31}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\{8A805BDF-90DD-4d16-9D64-34714345E3C7}.exe
        
        C:\Windows\{8A805BDF-90DD-4d16-9D64-34714345E3C7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\{9478CED3-E4FC-45af-ABC5-9EED25730B62}.exe
        
        C:\Windows\{9478CED3-E4FC-45af-ABC5-9EED25730B62}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\{736AC8C6-3DE7-4031-BF9A-41CD03201B29}.exe
        
        C:\Windows\{736AC8C6-3DE7-4031-BF9A-41CD03201B29}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9478C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A805~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2375C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FE52~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF580~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE298~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3227~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E431~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1839B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E8344~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9E5D33~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1839B27B-C558-4c85-9696-B9FF19062A43}.exe

Filesize
91KB

MD5
3c246510902554bf82bc171e1348a02e

SHA1
70f9c32bdd8dd9f222e9174696c6553f51036f1f

SHA256
c7d2ba00411a67271bcf2e5603e415e924dcb8d49ec1b7831e9845425ac1f202

SHA512
12823be1c05de80d80894cd5c5f478f8d5ed8bf460ecb89b4e0725075e581be5e4db4be4f45709103c8e3901404ec17a9e14c4515094e491a96f05a451bc4cd9

Download Submit
C:\Windows\{2375C4D5-44D2-4cd2-BEC2-091BC0A3CB31}.exe

Filesize
91KB

MD5
11d46733f019ab6b303a8e537d440beb

SHA1
564c0de89ed106008a87e458c716b3ba3b7a1e26

SHA256
2d461a87fee7c35a092ceae1e032196265c8eef57f8fa159a3926eb9e554c536

SHA512
d62a42c203147294d730e0b5a28e30d0c623cc418477a59936987b8d6435648f78eacf7d8afdb901f4593186062b20cbe9669dfd420ea1ff5999c840cc80ff46

Download Submit
C:\Windows\{5E431DE7-FF80-4c94-A096-90D6447F3DF8}.exe

Filesize
91KB

MD5
ed27b78b2d450047edd830293b7eaf88

SHA1
77acf593721e085c0b9a5257d06a62beaff8ac70

SHA256
4c17f39d221c9e79335ec98d94db9e5ed9b511f80307526c6930a51052469e6d

SHA512
168759b5a4c2d22922537eb4195998d200fe4c06ed646ab2de8a088845083b67b84320a35b4b7605da0e1d28f264bc905684f97d9bf278cbc02ce6641ec00e24

Download Submit
C:\Windows\{736AC8C6-3DE7-4031-BF9A-41CD03201B29}.exe

Filesize
91KB

MD5
301ef11e3594cd5f3dd928939bc8ce42

SHA1
2aceec35715a796bac164c9a379882af78ed3c84

SHA256
476d54de0e7914ee145d0b835379048dbef6fecf753581eaba6d257b43a4e7b0

SHA512
bb1d277c2446822ef9e8f844abb1ea9a0d514cd9faf823652991c99ad7e060960db10301ee752f78a2fd5f299cdec6215c316d4fc29f8334e7bfd6b1efc1eed9

Download Submit
C:\Windows\{8A805BDF-90DD-4d16-9D64-34714345E3C7}.exe

Filesize
91KB

MD5
1c19f08d3e70db50825176b4a2039379

SHA1
6bf1931dfd65acfab87d5a19e0038b5d72962322

SHA256
49a75ab8572797184f4b17c6adab64f37b8ecc149071af03b90f44d0e912617f

SHA512
a62986270c10cd7de3526cc68794643cde549fd800c846ab49c858857c621b6baf4e225c8288435fc4293287d72db88bf6794b9728399bf80e081090b4b9c642

Download Submit
C:\Windows\{8FE52858-9F27-4dc4-810F-5B997D693151}.exe

Filesize
91KB

MD5
30aa161b2ecac7423546f80357fb6b4c

SHA1
90e24423cfd796aa66765afc492057a446fc0b14

SHA256
0a79b8ee6787456e8740da4bff6cb7d1117137f8578e2fcc2b47d12753f56f5f

SHA512
54552f33215356539b2feb59a50e051adc743c92ed7960d3c1430164b46e4502bc1ce202a2a2bc4b697b7299d12e8ba2101ba01b793f8de31bd352b59db23592

Download Submit
C:\Windows\{9478CED3-E4FC-45af-ABC5-9EED25730B62}.exe

Filesize
91KB

MD5
aa9f2418e3d8949a49713d5f3e13b8a2

SHA1
9ed3f32156a86bc039d8d7f7693d13a842e8d2f5

SHA256
1ce77b32a32b3cf762c149dbb4c3563729a98c45acf98ae12abdaa32626087b6

SHA512
ab3632c8ac20f07538111c567d14c4639dd28748ccd80cb4655fe9b29b3b2048556c8a5972de2102a1a5933a606a8e56fc193dd12d4cae12042b811e441166d5

Download Submit
C:\Windows\{B3227657-87F7-40f3-975A-CAE4594E98EA}.exe

Filesize
91KB

MD5
0516fea535d839c55841f752109cd67f

SHA1
a57a673c0e2ad7c2de17aefec41814a26254f71f

SHA256
fde1def4c5dbab5208704ec8436efbd83d9427c7ea9dc7338e3209b979716035

SHA512
b31542c6efbb3c6ad4b71bce511dcd99f51f353ec35111ab95342f24fd5819b77047f358dd047edb2a57bff97377d7f31a7f9d7d612dd65467566a41e109daae

Download Submit
C:\Windows\{E8344185-B6B8-4e1c-A9C9-F9A067D348C6}.exe

Filesize
91KB

MD5
01e46bcf176710ebe96a6afcf8c3a915

SHA1
8d8c5a04981d0d01273ddba07d0b697cbeb52603

SHA256
3f42d6827669353af2d3b27c9322adebefd266689ddd41a2cab3120f9705c060

SHA512
c192cba231fc00157c5506396e2ef83db3d8216d7e7d1a96f08969a840984d231c4bde74b9558d77cc6a535f66ee1ef2cd06b9caa69f350db9959ac5a1ae082e

Download Submit
C:\Windows\{EE29898A-A886-4382-BA87-2D93FD567182}.exe

Filesize
91KB

MD5
2495f1b56081ebf41381c2997c97cc28

SHA1
f3252a73f12f595abb7136119e8fd66b1a812cc1

SHA256
12eb8ec2c99fdc656d13ffeaf1e11f8e23f73819b666671e9931b89439b85d41

SHA512
cb0c4f616128b4f2d9a6dc11b4d9187284e36fefc8d4a92089727237de50182aa6a25a22d191fdc332119cfa39b0037635c210fec7d44f1d457df91da88144d6

Download Submit
C:\Windows\{FF580FC5-A6E8-489d-B39A-D115EE40E2C1}.exe

Filesize
91KB

MD5
2fe6d446bdb3abce98c6c9f9509baad1

SHA1
858d4fc46df6080e73afcef5430ba4e63998277e

SHA256
acdb211eeba67e4df1ba57b100d8ac46dce10e313d35308a831ddcac0b0983f4

SHA512
e8ad2769c5c3d838d1f00cad666893c1b0fa90f198b8abfd75f90c2a9922a47692c9011f21a9e9b52d350d53e7a133bf33d799976c9cf7598a5a1a6035d11b41

Download Submit
memory/664-50-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/664-55-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/664-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2032-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2032-3-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/2032-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2032-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2156-87-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2156-93-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2416-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2416-13-0x0000000001E20000-0x0000000001E31000-memory.dmp

Filesize
68KB

Download
memory/2436-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2436-60-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2632-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2632-40-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2632-45-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2828-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2828-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2828-22-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2872-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2872-69-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2912-32-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2912-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2976-84-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2976-78-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/3016-96-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/3016-102-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads