b838db5d109117028a9c3ec8de1ad4f1f2dcf41524d71c400caee99100247ef7

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28-08-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

934e5fbc2d110b89156d066a6a9ea450N.exe
Size

60KB
MD5

934e5fbc2d110b89156d066a6a9ea450
SHA1

f42f42ba628edd491d8321d4a27b2ed9a58e4d53
SHA256

b838db5d109117028a9c3ec8de1ad4f1f2dcf41524d71c400caee99100247ef7
SHA512

9e9356075192399935c7f1045d30af45781a5c1f7726ad941d3df2a8e35ac8c5c09bc8a8e5165f4e9a016c4a9f9cd0df42b8e8f3514e0d483f71d19167c332f7
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLrom4/CFsrdHWMZ:vvw9816vhKQLrom4/wQpWMZ

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BACF901-4D50-472b-AE65-3A5621EF645B}	934e5fbc2d110b89156d066a6a9ea450N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}\stubpath = "C:\\Windows\\{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe"	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}\stubpath = "C:\\Windows\\{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe"	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BACF901-4D50-472b-AE65-3A5621EF645B}\stubpath = "C:\\Windows\\{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe"	934e5fbc2d110b89156d066a6a9ea450N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}\stubpath = "C:\\Windows\\{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe"	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{184F9368-C9E5-4134-9F83-D7144572D50B}\stubpath = "C:\\Windows\\{184F9368-C9E5-4134-9F83-D7144572D50B}.exe"	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDD3FC04-501D-4abb-9563-0F041621089A}\stubpath = "C:\\Windows\\{BDD3FC04-501D-4abb-9563-0F041621089A}.exe"	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}\stubpath = "C:\\Windows\\{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe"	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{184F9368-C9E5-4134-9F83-D7144572D50B}	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC756B02-2BE8-438a-825D-BE7C890252F3}	{BDD3FC04-501D-4abb-9563-0F041621089A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC756B02-2BE8-438a-825D-BE7C890252F3}\stubpath = "C:\\Windows\\{CC756B02-2BE8-438a-825D-BE7C890252F3}.exe"	{BDD3FC04-501D-4abb-9563-0F041621089A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}\stubpath = "C:\\Windows\\{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe"	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDD3FC04-501D-4abb-9563-0F041621089A}	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2712	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe
2584	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe
2636	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe
1244	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe
2184	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe
2400	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe
3040	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe
2196	{BDD3FC04-501D-4abb-9563-0F041621089A}.exe
768	{CC756B02-2BE8-438a-825D-BE7C890252F3}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe	934e5fbc2d110b89156d066a6a9ea450N.exe
File created	C:\Windows\{BDD3FC04-501D-4abb-9563-0F041621089A}.exe	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe
File created	C:\Windows\{CC756B02-2BE8-438a-825D-BE7C890252F3}.exe	{BDD3FC04-501D-4abb-9563-0F041621089A}.exe
File created	C:\Windows\{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe
File created	C:\Windows\{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe
File created	C:\Windows\{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe
File created	C:\Windows\{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe
File created	C:\Windows\{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe
File created	C:\Windows\{184F9368-C9E5-4134-9F83-D7144572D50B}.exe	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BDD3FC04-501D-4abb-9563-0F041621089A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CC756B02-2BE8-438a-825D-BE7C890252F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	934e5fbc2d110b89156d066a6a9ea450N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2752	934e5fbc2d110b89156d066a6a9ea450N.exe
Token: SeIncBasePriorityPrivilege	2712	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe
Token: SeIncBasePriorityPrivilege	2584	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe
Token: SeIncBasePriorityPrivilege	2636	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe
Token: SeIncBasePriorityPrivilege	1244	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe
Token: SeIncBasePriorityPrivilege	2184	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe
Token: SeIncBasePriorityPrivilege	2400	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe
Token: SeIncBasePriorityPrivilege	3040	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe
Token: SeIncBasePriorityPrivilege	2196	{BDD3FC04-501D-4abb-9563-0F041621089A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2712	2752	934e5fbc2d110b89156d066a6a9ea450N.exe	30
PID 2752 wrote to memory of 2712	2752	934e5fbc2d110b89156d066a6a9ea450N.exe	30
PID 2752 wrote to memory of 2712	2752	934e5fbc2d110b89156d066a6a9ea450N.exe	30
PID 2752 wrote to memory of 2712	2752	934e5fbc2d110b89156d066a6a9ea450N.exe	30
PID 2752 wrote to memory of 2696	2752	934e5fbc2d110b89156d066a6a9ea450N.exe	31
PID 2752 wrote to memory of 2696	2752	934e5fbc2d110b89156d066a6a9ea450N.exe	31
PID 2752 wrote to memory of 2696	2752	934e5fbc2d110b89156d066a6a9ea450N.exe	31
PID 2752 wrote to memory of 2696	2752	934e5fbc2d110b89156d066a6a9ea450N.exe	31
PID 2712 wrote to memory of 2584	2712	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe	32
PID 2712 wrote to memory of 2584	2712	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe	32
PID 2712 wrote to memory of 2584	2712	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe	32
PID 2712 wrote to memory of 2584	2712	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe	32
PID 2712 wrote to memory of 2616	2712	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe	33
PID 2712 wrote to memory of 2616	2712	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe	33
PID 2712 wrote to memory of 2616	2712	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe	33
PID 2712 wrote to memory of 2616	2712	{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe	33
PID 2584 wrote to memory of 2636	2584	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe	34
PID 2584 wrote to memory of 2636	2584	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe	34
PID 2584 wrote to memory of 2636	2584	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe	34
PID 2584 wrote to memory of 2636	2584	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe	34
PID 2584 wrote to memory of 2220	2584	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe	35
PID 2584 wrote to memory of 2220	2584	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe	35
PID 2584 wrote to memory of 2220	2584	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe	35
PID 2584 wrote to memory of 2220	2584	{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe	35
PID 2636 wrote to memory of 1244	2636	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe	36
PID 2636 wrote to memory of 1244	2636	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe	36
PID 2636 wrote to memory of 1244	2636	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe	36
PID 2636 wrote to memory of 1244	2636	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe	36
PID 2636 wrote to memory of 1904	2636	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe	37
PID 2636 wrote to memory of 1904	2636	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe	37
PID 2636 wrote to memory of 1904	2636	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe	37
PID 2636 wrote to memory of 1904	2636	{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe	37
PID 1244 wrote to memory of 2184	1244	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe	38
PID 1244 wrote to memory of 2184	1244	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe	38
PID 1244 wrote to memory of 2184	1244	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe	38
PID 1244 wrote to memory of 2184	1244	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe	38
PID 1244 wrote to memory of 1040	1244	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe	39
PID 1244 wrote to memory of 1040	1244	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe	39
PID 1244 wrote to memory of 1040	1244	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe	39
PID 1244 wrote to memory of 1040	1244	{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe	39
PID 2184 wrote to memory of 2400	2184	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe	40
PID 2184 wrote to memory of 2400	2184	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe	40
PID 2184 wrote to memory of 2400	2184	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe	40
PID 2184 wrote to memory of 2400	2184	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe	40
PID 2184 wrote to memory of 2388	2184	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe	41
PID 2184 wrote to memory of 2388	2184	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe	41
PID 2184 wrote to memory of 2388	2184	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe	41
PID 2184 wrote to memory of 2388	2184	{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe	41
PID 2400 wrote to memory of 3040	2400	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe	42
PID 2400 wrote to memory of 3040	2400	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe	42
PID 2400 wrote to memory of 3040	2400	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe	42
PID 2400 wrote to memory of 3040	2400	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe	42
PID 2400 wrote to memory of 2620	2400	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe	43
PID 2400 wrote to memory of 2620	2400	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe	43
PID 2400 wrote to memory of 2620	2400	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe	43
PID 2400 wrote to memory of 2620	2400	{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe	43
PID 3040 wrote to memory of 2196	3040	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe	44
PID 3040 wrote to memory of 2196	3040	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe	44
PID 3040 wrote to memory of 2196	3040	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe	44
PID 3040 wrote to memory of 2196	3040	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe	44
PID 3040 wrote to memory of 2540	3040	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe	45
PID 3040 wrote to memory of 2540	3040	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe	45
PID 3040 wrote to memory of 2540	3040	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe	45
PID 3040 wrote to memory of 2540	3040	{184F9368-C9E5-4134-9F83-D7144572D50B}.exe	45

C:\Users\Admin\AppData\Local\Temp\934e5fbc2d110b89156d066a6a9ea450N.exe
"C:\Users\Admin\AppData\Local\Temp\934e5fbc2d110b89156d066a6a9ea450N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe
  C:\Windows\{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe
    C:\Windows\{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe
      C:\Windows\{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe
        
        C:\Windows\{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1244
      - C:\Windows\{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe
        
        C:\Windows\{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe
        
        C:\Windows\{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\{184F9368-C9E5-4134-9F83-D7144572D50B}.exe
        
        C:\Windows\{184F9368-C9E5-4134-9F83-D7144572D50B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\{BDD3FC04-501D-4abb-9563-0F041621089A}.exe
        
        C:\Windows\{BDD3FC04-501D-4abb-9563-0F041621089A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\{CC756B02-2BE8-438a-825D-BE7C890252F3}.exe
        
        C:\Windows\{CC756B02-2BE8-438a-825D-BE7C890252F3}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDD3F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{184F9~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B65A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66EE8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FA62~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B6E9~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2C586~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5BACF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\934E5F~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{184F9368-C9E5-4134-9F83-D7144572D50B}.exe

Filesize
60KB

MD5
584927df93dfda3bcaa8e3f4fe9f219c

SHA1
edf330666d182616e3064abc78cd283ef9d279c9

SHA256
d3411c9a694c1900dd3287f0c9155357dc5eaef6253bab2d2e8b0ecce7df77d7

SHA512
02b2cd4bf686797886b1e1dddb1254a4d566a9cdcaa7c8ee12f16ba1e92ee54a18af8122810d6b3ec32bb73722004496fe5ee25af19d7093de850f7035c02356

Download Submit
C:\Windows\{1FA6242D-DCC8-4da4-B74C-CEEDB6250B4F}.exe

Filesize
60KB

MD5
213443942c3df6b669eb4b7a4f99be12

SHA1
9b9f989958c5ba9a1137d21f14fe0d106cee963f

SHA256
c10f1539ebc6ae5a176e66e4bc02bd10f508bb5455302dae6daf6ea09e65ea1b

SHA512
af878c319c58f418b01ae66c5673ad5588d9331689ae628a41a5245b80556921ddf7f9eee11ae72a3583f67e475ea345b456bb3592a54e560d90ad108cb9a121

Download Submit
C:\Windows\{2C5864AF-5782-44fd-B302-A1C0BB80F6B8}.exe

Filesize
60KB

MD5
630389c57c104da2d31ba9c00148c2e4

SHA1
fc9af35d9684c89f23ba1752548025a3ee1b4fa0

SHA256
a6794910598fe91859e72153f810f17f5b203e2de4a9c2cbe5baa8c8ceabac13

SHA512
c348dcd5bf0b7160bd30e82fe7a367add23b2053bdea6ba5639faa8ed62c997d9b309596c224c3c22e1d10ff9abf3e24d477bc3a377e70446bae4fdbc80da4e6

Download Submit
C:\Windows\{3B65A500-0A68-4c40-B4DA-61BD88B2EBBC}.exe

Filesize
60KB

MD5
d384e0a43e14cb977314a97236b01ab2

SHA1
74c5a995b5946275bff68d41484994c49283cd64

SHA256
81f4cecfd07e508d4bfc117893f480d157797a417798d412bd0ded87aaed6540

SHA512
23739a78121fe6b59e3fd85325cfb1dbcfe6df41dafcd604dfcff8a5fb58ac2c66b72cdab37ce1243c6adc0c707e9f46bcfc3f9ae69d084596354f012c56efb7

Download Submit
C:\Windows\{5BACF901-4D50-472b-AE65-3A5621EF645B}.exe

Filesize
60KB

MD5
4bd49fb00ae858f7d262fc3bd71868d1

SHA1
75b4b9865078d1311376a75f5a3cd53dd2120043

SHA256
6eb4da91690f543a4db63145572379e38ed75984c37103b8f4601572fd5705fb

SHA512
862beccc065374d85a8f4ec2e2bf418ce5b313b1bf0da9556297c3df8f1cd9dc5db0b4fbe98129fa2a28f837ce064eb0309f3121e4442773d053f660e246f276

Download Submit
C:\Windows\{66EE81F5-958A-47e7-8ECF-0BD49A4FDF7D}.exe

Filesize
60KB

MD5
4a27e6465048cc0534d3f47e7b28d347

SHA1
414acf95888dd014375eb196dbb19f283ae27049

SHA256
1a79bb238db249fa326446de35afb16d216e989ac170069844b1e99746d68630

SHA512
9beb36d95d2740af3a0c812c6ccffc7a5782dc7286f0636db7a46b4cb6a4921c6769cc41ed8f70f36c9681c1d4299627aa93b0dc1045e958dcf1def0ec835712

Download Submit
C:\Windows\{7B6E9A17-1AD4-4787-87C1-756F3F3200FD}.exe

Filesize
60KB

MD5
e42e86b34aa0584026e84fd1ca2159cb

SHA1
f4c40eaa5ccd3267e1b893ec2b7fdd67fbf4c121

SHA256
ae3ed8a39c89caac4f13d743393e3e0dd6113638fd2da6e839b6bf3d9a7fcdc8

SHA512
962806519d4983eb90717daec3fe43c10fd7a7eac4dd4eccb625adfa079ccce145f049db45be73e821eadd31eeb4080cc155e274fc179cb06beaf13df6775c23

Download Submit
C:\Windows\{BDD3FC04-501D-4abb-9563-0F041621089A}.exe

Filesize
60KB

MD5
8346148971ceeb1b4901f069641fdc46

SHA1
0eea9b850b32373dcb780d1eb8cb747f6eae038f

SHA256
4303eb0ec8adbc5b6f6b52150acb609b4ba0d66c3fab28a428b6cf7aaf780791

SHA512
97f1fe8478d2198f74a2f0090bc394b009f36ed3b572e400cc3b4f9690f7df2de5a1ebd214919dd729e229f9a88ec8863e528742f0e4307efa22941d3daa0926

Download Submit
C:\Windows\{CC756B02-2BE8-438a-825D-BE7C890252F3}.exe

Filesize
60KB

MD5
46163a37dd0253559374ff7f771a4da0

SHA1
96a8f4ecdf655882b8f90593c4edc0439c885434

SHA256
c3922e3126bace45512a17b47b3081380a0e25372d586a17c9d6fe54be08a786

SHA512
cf85310774814e61af83116aaaf6452ffd2fe086938edc6fc40228a1ba0bd4325c7a0df62ba42c2f37f25be6c06c5fe4e2cdfe4399c961f1e932615cdb31d620

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads