6147dfac2f5e920b95703ce7684d4e9ba7f68dcd6cbee332d6fc61d572443e57

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe
Size

89KB
MD5

7dd54f5e3ff57a61c78ab4f4f14a7fd0
SHA1

c9e96d8c5b1b7a50b94e63ac5b62939bdaaf68c8
SHA256

6147dfac2f5e920b95703ce7684d4e9ba7f68dcd6cbee332d6fc61d572443e57
SHA512

5eb03204528acb8e23ba8ba664eb27ef9cbda99a1a1d65d02c26ef07e3f380c009036d85c722fd505dadea6f9bf94be86a02ce6da492fc04d9ff097e95a513ee
SSDEEP

768:Qvw9816vhKQLroc4/wQRNrfrunMxVFA3b7glL:YEGh0ocl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC7071C2-FC10-40b8-A43E-A8ADB17636B4}\stubpath = "C:\\Windows\\{DC7071C2-FC10-40b8-A43E-A8ADB17636B4}.exe"	{94D5EC6D-A8ED-478a-B763-9BB0A39E5AB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31336A05-F72F-4ac2-B1DC-9CFC17942B01}\stubpath = "C:\\Windows\\{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe"	7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B868815E-70BA-4f1d-B277-D596A4D59909}\stubpath = "C:\\Windows\\{B868815E-70BA-4f1d-B277-D596A4D59909}.exe"	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479135CB-A2A0-4da0-B26B-C666B474D9B9}	{246768E9-0684-485e-9380-FAC892A56E9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479135CB-A2A0-4da0-B26B-C666B474D9B9}\stubpath = "C:\\Windows\\{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe"	{246768E9-0684-485e-9380-FAC892A56E9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31336A05-F72F-4ac2-B1DC-9CFC17942B01}	7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7BD6287-52D1-4e05-9737-199470CCDC9B}\stubpath = "C:\\Windows\\{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe"	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94D5EC6D-A8ED-478a-B763-9BB0A39E5AB4}\stubpath = "C:\\Windows\\{94D5EC6D-A8ED-478a-B763-9BB0A39E5AB4}.exe"	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B868815E-70BA-4f1d-B277-D596A4D59909}	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{246768E9-0684-485e-9380-FAC892A56E9E}	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{246768E9-0684-485e-9380-FAC892A56E9E}\stubpath = "C:\\Windows\\{246768E9-0684-485e-9380-FAC892A56E9E}.exe"	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}\stubpath = "C:\\Windows\\{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe"	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7BD6287-52D1-4e05-9737-199470CCDC9B}	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}\stubpath = "C:\\Windows\\{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe"	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94D5EC6D-A8ED-478a-B763-9BB0A39E5AB4}	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC7071C2-FC10-40b8-A43E-A8ADB17636B4}	{94D5EC6D-A8ED-478a-B763-9BB0A39E5AB4}.exe

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2816	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe
1800	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe
1060	{246768E9-0684-485e-9380-FAC892A56E9E}.exe
2972	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe
2368	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe
2676	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe
1868	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe
1768	{94D5EC6D-A8ED-478a-B763-9BB0A39E5AB4}.exe
2092	{DC7071C2-FC10-40b8-A43E-A8ADB17636B4}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe	7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe
File created	C:\Windows\{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe
File created	C:\Windows\{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe
File created	C:\Windows\{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe
File created	C:\Windows\{94D5EC6D-A8ED-478a-B763-9BB0A39E5AB4}.exe	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe
File created	C:\Windows\{DC7071C2-FC10-40b8-A43E-A8ADB17636B4}.exe	{94D5EC6D-A8ED-478a-B763-9BB0A39E5AB4}.exe
File created	C:\Windows\{B868815E-70BA-4f1d-B277-D596A4D59909}.exe	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe
File created	C:\Windows\{246768E9-0684-485e-9380-FAC892A56E9E}.exe	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe
File created	C:\Windows\{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe	{246768E9-0684-485e-9380-FAC892A56E9E}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{246768E9-0684-485e-9380-FAC892A56E9E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94D5EC6D-A8ED-478a-B763-9BB0A39E5AB4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC7071C2-FC10-40b8-A43E-A8ADB17636B4}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2764	7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe
Token: SeIncBasePriorityPrivilege	2816	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe
Token: SeIncBasePriorityPrivilege	1800	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe
Token: SeIncBasePriorityPrivilege	1060	{246768E9-0684-485e-9380-FAC892A56E9E}.exe
Token: SeIncBasePriorityPrivilege	2972	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe
Token: SeIncBasePriorityPrivilege	2368	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe
Token: SeIncBasePriorityPrivilege	2676	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe
Token: SeIncBasePriorityPrivilege	1868	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe
Token: SeIncBasePriorityPrivilege	1768	{94D5EC6D-A8ED-478a-B763-9BB0A39E5AB4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2816	2764	7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe	30
PID 2764 wrote to memory of 2816	2764	7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe	30
PID 2764 wrote to memory of 2816	2764	7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe	30
PID 2764 wrote to memory of 2816	2764	7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe	30
PID 2764 wrote to memory of 2644	2764	7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe	31
PID 2764 wrote to memory of 2644	2764	7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe	31
PID 2764 wrote to memory of 2644	2764	7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe	31
PID 2764 wrote to memory of 2644	2764	7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe	31
PID 2816 wrote to memory of 1800	2816	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe	33
PID 2816 wrote to memory of 1800	2816	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe	33
PID 2816 wrote to memory of 1800	2816	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe	33
PID 2816 wrote to memory of 1800	2816	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe	33
PID 2816 wrote to memory of 2288	2816	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe	34
PID 2816 wrote to memory of 2288	2816	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe	34
PID 2816 wrote to memory of 2288	2816	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe	34
PID 2816 wrote to memory of 2288	2816	{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe	34
PID 1800 wrote to memory of 1060	1800	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe	35
PID 1800 wrote to memory of 1060	1800	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe	35
PID 1800 wrote to memory of 1060	1800	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe	35
PID 1800 wrote to memory of 1060	1800	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe	35
PID 1800 wrote to memory of 1404	1800	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe	36
PID 1800 wrote to memory of 1404	1800	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe	36
PID 1800 wrote to memory of 1404	1800	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe	36
PID 1800 wrote to memory of 1404	1800	{B868815E-70BA-4f1d-B277-D596A4D59909}.exe	36
PID 1060 wrote to memory of 2972	1060	{246768E9-0684-485e-9380-FAC892A56E9E}.exe	37
PID 1060 wrote to memory of 2972	1060	{246768E9-0684-485e-9380-FAC892A56E9E}.exe	37
PID 1060 wrote to memory of 2972	1060	{246768E9-0684-485e-9380-FAC892A56E9E}.exe	37
PID 1060 wrote to memory of 2972	1060	{246768E9-0684-485e-9380-FAC892A56E9E}.exe	37
PID 1060 wrote to memory of 2504	1060	{246768E9-0684-485e-9380-FAC892A56E9E}.exe	38
PID 1060 wrote to memory of 2504	1060	{246768E9-0684-485e-9380-FAC892A56E9E}.exe	38
PID 1060 wrote to memory of 2504	1060	{246768E9-0684-485e-9380-FAC892A56E9E}.exe	38
PID 1060 wrote to memory of 2504	1060	{246768E9-0684-485e-9380-FAC892A56E9E}.exe	38
PID 2972 wrote to memory of 2368	2972	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe	39
PID 2972 wrote to memory of 2368	2972	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe	39
PID 2972 wrote to memory of 2368	2972	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe	39
PID 2972 wrote to memory of 2368	2972	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe	39
PID 2972 wrote to memory of 2708	2972	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe	40
PID 2972 wrote to memory of 2708	2972	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe	40
PID 2972 wrote to memory of 2708	2972	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe	40
PID 2972 wrote to memory of 2708	2972	{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe	40
PID 2368 wrote to memory of 2676	2368	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe	41
PID 2368 wrote to memory of 2676	2368	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe	41
PID 2368 wrote to memory of 2676	2368	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe	41
PID 2368 wrote to memory of 2676	2368	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe	41
PID 2368 wrote to memory of 2912	2368	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe	42
PID 2368 wrote to memory of 2912	2368	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe	42
PID 2368 wrote to memory of 2912	2368	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe	42
PID 2368 wrote to memory of 2912	2368	{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe	42
PID 2676 wrote to memory of 1868	2676	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe	43
PID 2676 wrote to memory of 1868	2676	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe	43
PID 2676 wrote to memory of 1868	2676	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe	43
PID 2676 wrote to memory of 1868	2676	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe	43
PID 2676 wrote to memory of 2968	2676	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe	44
PID 2676 wrote to memory of 2968	2676	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe	44
PID 2676 wrote to memory of 2968	2676	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe	44
PID 2676 wrote to memory of 2968	2676	{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe	44
PID 1868 wrote to memory of 1768	1868	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe	45
PID 1868 wrote to memory of 1768	1868	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe	45
PID 1868 wrote to memory of 1768	1868	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe	45
PID 1868 wrote to memory of 1768	1868	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe	45
PID 1868 wrote to memory of 2008	1868	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe	46
PID 1868 wrote to memory of 2008	1868	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe	46
PID 1868 wrote to memory of 2008	1868	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe	46
PID 1868 wrote to memory of 2008	1868	{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe	46

C:\Users\Admin\AppData\Local\Temp\7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe
"C:\Users\Admin\AppData\Local\Temp\7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe
  C:\Windows\{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\{B868815E-70BA-4f1d-B277-D596A4D59909}.exe
    C:\Windows\{B868815E-70BA-4f1d-B277-D596A4D59909}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\{246768E9-0684-485e-9380-FAC892A56E9E}.exe
      C:\Windows\{246768E9-0684-485e-9380-FAC892A56E9E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe
        
        C:\Windows\{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Windows\{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe
        
        C:\Windows\{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe
        
        C:\Windows\{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe
        
        C:\Windows\{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{94D5EC6D-A8ED-478a-B763-9BB0A39E5AB4}.exe
        
        C:\Windows\{94D5EC6D-A8ED-478a-B763-9BB0A39E5AB4}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\{DC7071C2-FC10-40b8-A43E-A8ADB17636B4}.exe
        
        C:\Windows\{DC7071C2-FC10-40b8-A43E-A8ADB17636B4}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94D5E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AC7A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7BD6~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB756~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47913~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24676~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B8688~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{31336~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7DD54F~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{246768E9-0684-485e-9380-FAC892A56E9E}.exe

Filesize
89KB

MD5
1729cd1f97d98e0e8d829fe0cf1e3ae5

SHA1
fee85d9c8abe4cd325c38e8027a25a025ef53292

SHA256
2a6bc07045f870f22356ce09e77ba039924378dda4a5ca654dacc924258ca2a7

SHA512
4e516899981423d95fcab3d4183b88e6905aa215d71a9089a1019bb649cceddf7448fddd19e30d73a9e017301e2b657a2ab73252dfb5037cee98b644f317d66c

Download Submit
C:\Windows\{31336A05-F72F-4ac2-B1DC-9CFC17942B01}.exe

Filesize
89KB

MD5
7f4f001eada99f869df03cd7644f87a9

SHA1
7f21d3dcd43be3b4c6d34480f46f1241b3df0552

SHA256
becd57102e9b4d1cbf88883b5f06e85242e1ade2e6785b5b72383123886025f4

SHA512
90fb168041e55b49d6f07d52c3a581124fed1e7bcaae7aa9b446f4be0a857b1e2e657293fcc14e626a4b17d804f38fadae2c3dba996dff13dcd271369a37eb97

Download Submit
C:\Windows\{479135CB-A2A0-4da0-B26B-C666B474D9B9}.exe

Filesize
89KB

MD5
99f68f4d2a9591de117a270ba21fffe4

SHA1
ec28a5c1503a7b5b0d73e5556fb2185a38f34a92

SHA256
c1a09eb7ca7bf8ac632bad46d538e235aa7bbd66357bb67ec948c0bd5e8bda15

SHA512
c2e71d52867679cdf768e94345174e7984394a7de8918375710b2a09532064b4833adde0dc140e715d184cc76ec3ea1e9224ecc9d8ef4b1578e796abb470d0bd

Download Submit
C:\Windows\{5AC7A16C-5C72-4ffc-A61E-9D04B9437E6E}.exe

Filesize
89KB

MD5
50faa8b935143ec543e65307a7009a2e

SHA1
a0b2e28f37dbd191221ad0fb4e870c24374cb471

SHA256
46eedd9da5601f809c57d89e3919f3133715f5bddbcb9daf13807a4b241994e6

SHA512
191f78fc8cbc10f7c4b010941f143879e84d4f235f5e6180dfdd9210f7764031df4c1a05476bb9fe5f74a5b657285f597cdd867feed77e73eda9a2b10a42a141

Download Submit
C:\Windows\{94D5EC6D-A8ED-478a-B763-9BB0A39E5AB4}.exe

Filesize
89KB

MD5
2b7a024e4028990a136b05fb91684782

SHA1
94ebb4987640eb8393ea312e13012e2906cc6e40

SHA256
4bdb6348144f238af887c221308e9854b6a7e8325c4352c9f458cf29ee3861f9

SHA512
9c71a45ebd4bfc7d2e411942447b7d755a6dde0f8e3d0e96e0f2ffcaef914cd503f76791d391f16c962e49938e279c184e8fc9823cea1b20133c24ae81e599cd

Download Submit
C:\Windows\{B868815E-70BA-4f1d-B277-D596A4D59909}.exe

Filesize
89KB

MD5
5933633e906834211b8c533fe733aa93

SHA1
29c4d88b9a8cd55f5e8845f0e929886a831d1ed4

SHA256
cd650c752c6aedf2f4301656b8175802bba50b4db4cc48043d33858d8a60e351

SHA512
2eccb6c11bc3b042665eac481e2e47948f009499dd0e198eadcaada11742187d4a5537ced0d5d69b1feba635ed6911f874d8077b02614313735a0fed60ddeb65

Download Submit
C:\Windows\{C7BD6287-52D1-4e05-9737-199470CCDC9B}.exe

Filesize
89KB

MD5
c2ff4bfce863437b5eddd04947207d5b

SHA1
fa00662af040cfca7fc5c720dfefd019db0ee8e5

SHA256
00aebf546c672a036e8d4cc04b8ab33ccf9e3fdfa142c312a0074d0d9d091bc9

SHA512
58131bf4becf5e4acc3e78b662683b88b96f67fef08e032e288c9b031672cd571533a926201b7521b1dba957e8bc10930573b7c6a43eaac34e5dd72965404e79

Download Submit
C:\Windows\{DC7071C2-FC10-40b8-A43E-A8ADB17636B4}.exe

Filesize
89KB

MD5
8bf55804308ae85b1b64fe2a09f01768

SHA1
df5ca9791ff798dcb6b829b983e38a30d976fa74

SHA256
13a53a73f349caef06907d50b561fa99e4ed5d5d8132791cf540124eca618042

SHA512
4604775ee9569edd378e992d03fcb382ba24d0e051d7555dfbe15f764b1b3fe65280a241b95ac3bf7dd6a97f6425181bbce7f61e909ff5f3a56c46c1df04a895

Download Submit
C:\Windows\{EB7561D8-BF57-45ac-BE19-1C4CE4D5755F}.exe

Filesize
89KB

MD5
ae5c6d95ff5bf902c31f30daa8f908eb

SHA1
4144a7bcbb8c60750bf5ba46eb4a1a4eb64d27a2

SHA256
8a27da22f62882403dcbe504c46d4c709ff31fec1a6ebe61b7d6f4c51b286291

SHA512
fc21fb71e4360e80b8c905951775e2d13e4944c7ec3c4fb1fc94d14701726a1f3f326c8bada757b94a59d16af8ad2d9d085359d3f9327c15860413857e1f51bc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads