103943b36b4956314cd30bed05f1326eebbf0943a567a1a88fdb3866bcef5a9a

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fbccbefff3b5ccf910d697a1e627a40N.exe
Size

89KB
MD5

9fbccbefff3b5ccf910d697a1e627a40
SHA1

ab28b2d25acc841d93a1b8ea88bf4c3da276e5ac
SHA256

103943b36b4956314cd30bed05f1326eebbf0943a567a1a88fdb3866bcef5a9a
SHA512

ac7f40bc378907294ead6a8f77bea29f84d338cb08680b0dba0f9b98c24e9d20b5b471449d42fdcc09707f4e96e30ed1d5dea998f0432f01f7654708b6873942
SSDEEP

768:Qvw9816vhKQLroU4/wQRNrfrunMxVFA3b7gl5:YEGh0oUl2unMxVS3HgX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FBC8C38-B671-49a0-A107-AC2412433E4D}\stubpath = "C:\\Windows\\{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe"	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}\stubpath = "C:\\Windows\\{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe"	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F35AA2D8-13C8-4dc1-8649-D5CF2A8DF5DC}	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C74D398-61D6-437a-B2DF-23A138B251B8}	{37B99E20-942E-4479-A982-30EB54482843}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74708026-1918-433b-88CB-EA18901677AD}	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73F2F5BF-6688-4484-8131-59F091A49AF6}\stubpath = "C:\\Windows\\{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe"	{74708026-1918-433b-88CB-EA18901677AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FBC8C38-B671-49a0-A107-AC2412433E4D}	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F35AA2D8-13C8-4dc1-8649-D5CF2A8DF5DC}\stubpath = "C:\\Windows\\{F35AA2D8-13C8-4dc1-8649-D5CF2A8DF5DC}.exe"	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AF9F14A-7A7A-46d5-A25F-85A0EDC004A3}	{F35AA2D8-13C8-4dc1-8649-D5CF2A8DF5DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AF9F14A-7A7A-46d5-A25F-85A0EDC004A3}\stubpath = "C:\\Windows\\{8AF9F14A-7A7A-46d5-A25F-85A0EDC004A3}.exe"	{F35AA2D8-13C8-4dc1-8649-D5CF2A8DF5DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37B99E20-942E-4479-A982-30EB54482843}\stubpath = "C:\\Windows\\{37B99E20-942E-4479-A982-30EB54482843}.exe"	9fbccbefff3b5ccf910d697a1e627a40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F468ACF7-1879-4577-AF09-A04B27BDEDCF}	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73F2F5BF-6688-4484-8131-59F091A49AF6}	{74708026-1918-433b-88CB-EA18901677AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37B99E20-942E-4479-A982-30EB54482843}	9fbccbefff3b5ccf910d697a1e627a40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F468ACF7-1879-4577-AF09-A04B27BDEDCF}\stubpath = "C:\\Windows\\{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe"	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74708026-1918-433b-88CB-EA18901677AD}\stubpath = "C:\\Windows\\{74708026-1918-433b-88CB-EA18901677AD}.exe"	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C74D398-61D6-437a-B2DF-23A138B251B8}\stubpath = "C:\\Windows\\{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe"	{37B99E20-942E-4479-A982-30EB54482843}.exe

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2820	{37B99E20-942E-4479-A982-30EB54482843}.exe
2864	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe
2548	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe
1516	{74708026-1918-433b-88CB-EA18901677AD}.exe
2716	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe
1536	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe
876	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe
1028	{F35AA2D8-13C8-4dc1-8649-D5CF2A8DF5DC}.exe
2508	{8AF9F14A-7A7A-46d5-A25F-85A0EDC004A3}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe
File created	C:\Windows\{74708026-1918-433b-88CB-EA18901677AD}.exe	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe
File created	C:\Windows\{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe
File created	C:\Windows\{37B99E20-942E-4479-A982-30EB54482843}.exe	9fbccbefff3b5ccf910d697a1e627a40N.exe
File created	C:\Windows\{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe	{37B99E20-942E-4479-A982-30EB54482843}.exe
File created	C:\Windows\{F35AA2D8-13C8-4dc1-8649-D5CF2A8DF5DC}.exe	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe
File created	C:\Windows\{8AF9F14A-7A7A-46d5-A25F-85A0EDC004A3}.exe	{F35AA2D8-13C8-4dc1-8649-D5CF2A8DF5DC}.exe
File created	C:\Windows\{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe	{74708026-1918-433b-88CB-EA18901677AD}.exe
File created	C:\Windows\{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74708026-1918-433b-88CB-EA18901677AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fbccbefff3b5ccf910d697a1e627a40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{37B99E20-942E-4479-A982-30EB54482843}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F35AA2D8-13C8-4dc1-8649-D5CF2A8DF5DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8AF9F14A-7A7A-46d5-A25F-85A0EDC004A3}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2152	9fbccbefff3b5ccf910d697a1e627a40N.exe
Token: SeIncBasePriorityPrivilege	2820	{37B99E20-942E-4479-A982-30EB54482843}.exe
Token: SeIncBasePriorityPrivilege	2864	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe
Token: SeIncBasePriorityPrivilege	2548	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe
Token: SeIncBasePriorityPrivilege	1516	{74708026-1918-433b-88CB-EA18901677AD}.exe
Token: SeIncBasePriorityPrivilege	2716	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe
Token: SeIncBasePriorityPrivilege	1536	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe
Token: SeIncBasePriorityPrivilege	876	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe
Token: SeIncBasePriorityPrivilege	1028	{F35AA2D8-13C8-4dc1-8649-D5CF2A8DF5DC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2820	2152	9fbccbefff3b5ccf910d697a1e627a40N.exe	31
PID 2152 wrote to memory of 2820	2152	9fbccbefff3b5ccf910d697a1e627a40N.exe	31
PID 2152 wrote to memory of 2820	2152	9fbccbefff3b5ccf910d697a1e627a40N.exe	31
PID 2152 wrote to memory of 2820	2152	9fbccbefff3b5ccf910d697a1e627a40N.exe	31
PID 2152 wrote to memory of 2688	2152	9fbccbefff3b5ccf910d697a1e627a40N.exe	32
PID 2152 wrote to memory of 2688	2152	9fbccbefff3b5ccf910d697a1e627a40N.exe	32
PID 2152 wrote to memory of 2688	2152	9fbccbefff3b5ccf910d697a1e627a40N.exe	32
PID 2152 wrote to memory of 2688	2152	9fbccbefff3b5ccf910d697a1e627a40N.exe	32
PID 2820 wrote to memory of 2864	2820	{37B99E20-942E-4479-A982-30EB54482843}.exe	33
PID 2820 wrote to memory of 2864	2820	{37B99E20-942E-4479-A982-30EB54482843}.exe	33
PID 2820 wrote to memory of 2864	2820	{37B99E20-942E-4479-A982-30EB54482843}.exe	33
PID 2820 wrote to memory of 2864	2820	{37B99E20-942E-4479-A982-30EB54482843}.exe	33
PID 2820 wrote to memory of 2672	2820	{37B99E20-942E-4479-A982-30EB54482843}.exe	34
PID 2820 wrote to memory of 2672	2820	{37B99E20-942E-4479-A982-30EB54482843}.exe	34
PID 2820 wrote to memory of 2672	2820	{37B99E20-942E-4479-A982-30EB54482843}.exe	34
PID 2820 wrote to memory of 2672	2820	{37B99E20-942E-4479-A982-30EB54482843}.exe	34
PID 2864 wrote to memory of 2548	2864	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe	35
PID 2864 wrote to memory of 2548	2864	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe	35
PID 2864 wrote to memory of 2548	2864	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe	35
PID 2864 wrote to memory of 2548	2864	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe	35
PID 2864 wrote to memory of 2600	2864	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe	36
PID 2864 wrote to memory of 2600	2864	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe	36
PID 2864 wrote to memory of 2600	2864	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe	36
PID 2864 wrote to memory of 2600	2864	{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe	36
PID 2548 wrote to memory of 1516	2548	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe	37
PID 2548 wrote to memory of 1516	2548	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe	37
PID 2548 wrote to memory of 1516	2548	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe	37
PID 2548 wrote to memory of 1516	2548	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe	37
PID 2548 wrote to memory of 2044	2548	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe	38
PID 2548 wrote to memory of 2044	2548	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe	38
PID 2548 wrote to memory of 2044	2548	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe	38
PID 2548 wrote to memory of 2044	2548	{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe	38
PID 1516 wrote to memory of 2716	1516	{74708026-1918-433b-88CB-EA18901677AD}.exe	39
PID 1516 wrote to memory of 2716	1516	{74708026-1918-433b-88CB-EA18901677AD}.exe	39
PID 1516 wrote to memory of 2716	1516	{74708026-1918-433b-88CB-EA18901677AD}.exe	39
PID 1516 wrote to memory of 2716	1516	{74708026-1918-433b-88CB-EA18901677AD}.exe	39
PID 1516 wrote to memory of 2888	1516	{74708026-1918-433b-88CB-EA18901677AD}.exe	40
PID 1516 wrote to memory of 2888	1516	{74708026-1918-433b-88CB-EA18901677AD}.exe	40
PID 1516 wrote to memory of 2888	1516	{74708026-1918-433b-88CB-EA18901677AD}.exe	40
PID 1516 wrote to memory of 2888	1516	{74708026-1918-433b-88CB-EA18901677AD}.exe	40
PID 2716 wrote to memory of 1536	2716	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe	41
PID 2716 wrote to memory of 1536	2716	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe	41
PID 2716 wrote to memory of 1536	2716	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe	41
PID 2716 wrote to memory of 1536	2716	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe	41
PID 2716 wrote to memory of 2020	2716	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe	42
PID 2716 wrote to memory of 2020	2716	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe	42
PID 2716 wrote to memory of 2020	2716	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe	42
PID 2716 wrote to memory of 2020	2716	{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe	42
PID 1536 wrote to memory of 876	1536	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe	43
PID 1536 wrote to memory of 876	1536	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe	43
PID 1536 wrote to memory of 876	1536	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe	43
PID 1536 wrote to memory of 876	1536	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe	43
PID 1536 wrote to memory of 2504	1536	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe	44
PID 1536 wrote to memory of 2504	1536	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe	44
PID 1536 wrote to memory of 2504	1536	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe	44
PID 1536 wrote to memory of 2504	1536	{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe	44
PID 876 wrote to memory of 1028	876	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe	45
PID 876 wrote to memory of 1028	876	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe	45
PID 876 wrote to memory of 1028	876	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe	45
PID 876 wrote to memory of 1028	876	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe	45
PID 876 wrote to memory of 2380	876	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe	46
PID 876 wrote to memory of 2380	876	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe	46
PID 876 wrote to memory of 2380	876	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe	46
PID 876 wrote to memory of 2380	876	{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe	46

C:\Users\Admin\AppData\Local\Temp\9fbccbefff3b5ccf910d697a1e627a40N.exe
"C:\Users\Admin\AppData\Local\Temp\9fbccbefff3b5ccf910d697a1e627a40N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\{37B99E20-942E-4479-A982-30EB54482843}.exe
  C:\Windows\{37B99E20-942E-4479-A982-30EB54482843}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe
    C:\Windows\{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe
      C:\Windows\{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\{74708026-1918-433b-88CB-EA18901677AD}.exe
        
        C:\Windows\{74708026-1918-433b-88CB-EA18901677AD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Windows\{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe
        
        C:\Windows\{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe
        
        C:\Windows\{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe
        
        C:\Windows\{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{F35AA2D8-13C8-4dc1-8649-D5CF2A8DF5DC}.exe
        
        C:\Windows\{F35AA2D8-13C8-4dc1-8649-D5CF2A8DF5DC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\{8AF9F14A-7A7A-46d5-A25F-85A0EDC004A3}.exe
        
        C:\Windows\{8AF9F14A-7A7A-46d5-A25F-85A0EDC004A3}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F35AA~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1221~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FBC8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73F2F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74708~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F468A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5C74D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{37B99~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9FBCCB~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FBC8C38-B671-49a0-A107-AC2412433E4D}.exe

Filesize
89KB

MD5
96af555bb166aa4d92664b521ddaaa15

SHA1
1eb90e33a6ca38c91140fa5374e2ea9577eeaaf4

SHA256
0dabf1c9733f91a61907fc243b8dd6e6e90d677f219d559eb3c6bd8d52f98821

SHA512
3fb4c2b320fa101523206531b75f5fcc5900632fc1ecb500f57dc9d947b3efc737f4e37db88d89b0c1201b4aee40398b18cc6f274f864455e8966d5207835d41

Download Submit
C:\Windows\{37B99E20-942E-4479-A982-30EB54482843}.exe

Filesize
89KB

MD5
9d90f2efad609a74108f7110c97f8d1e

SHA1
d865a6806a1abd356a96e76ca1f61d036bf135bf

SHA256
6a6f7cb5bcdb12fe4eaaad492ed06e9250d8e430ab9fe6e13967096a85f2196c

SHA512
391eca8dd7037269fad462b482332dad654f541087848eb0ccd9698e60fbc849518320d5097d867238faaff8cfd6f2297a7da39f136762e435bfe10fa29b9486

Download Submit
C:\Windows\{5C74D398-61D6-437a-B2DF-23A138B251B8}.exe

Filesize
89KB

MD5
1d511abf0139392c7451972c62c6c9c6

SHA1
1d9063525686fbc83caa617b9034948748baf97d

SHA256
eb53f53f77c48bbeb4f438d157a56e3b0c38085099e98c58868d74565bc48044

SHA512
f27597a012c7f1f16ce11e4c56bef7de1c15dd6932c2e52536b7156752060e91d394036f9d6c2b1df5c6aef19811794de28349f8abfd13cd6bcdc94f74237c0c

Download Submit
C:\Windows\{73F2F5BF-6688-4484-8131-59F091A49AF6}.exe

Filesize
89KB

MD5
8db6797aa3866d6b253b4d7d14555670

SHA1
bbb0f2c0ff9cc9374bd6a3db5887b7745d48e96a

SHA256
ed8be1013eb0bb90b894723be84d38d719d1eb9b54a5c5e9f62ad40a034efc2e

SHA512
2e9077db6cb218495f832f59a6076b9ecba7efeb5ec93eae607f97e16f4d53d917350890b53b86a1e9b4f4fd44e2231edef263bd436358adafb6d1a6f79d9c05

Download Submit
C:\Windows\{74708026-1918-433b-88CB-EA18901677AD}.exe

Filesize
89KB

MD5
cc4d24e2b114750d39b189343dcbb758

SHA1
1ff4c41ded83c0eca20417e95fe274c2ed53cc4b

SHA256
fb72b808e0523080f8410398e4b2b74cb7a5e4b0f37eeb80cc6bb66cdd33f775

SHA512
61e435db416de2928a015f366f8992054ff77068540fe45cc52a50a4313b788a83b69d1d2b195d4ed2516b7970a6763392c30a45f4b2cdfd87e871fb596f3b4f

Download Submit
C:\Windows\{8AF9F14A-7A7A-46d5-A25F-85A0EDC004A3}.exe

Filesize
89KB

MD5
305678737e853fc1b9f0a2fa02ceed9b

SHA1
83fb031b7ebb4b630dafb1037f03e4fa1a91fe45

SHA256
ac3e455c35ef0800e3373c1c4ca2153696b88331f2e2b6aeca7df7c4c8918886

SHA512
7863158ea75bf7902b703397d885a98832aa68ab86d4e1b71704cd11be41b67e382dd9bad51534c0ce55f3f71757897c86d4bfc416ce332e98667b1814f1e6fe

Download Submit
C:\Windows\{B12214B2-7EA9-4bb9-92A8-219C93ADB2F7}.exe

Filesize
89KB

MD5
7e6e898f0d3290e37e5c41f86ffdf4cb

SHA1
705f51592db51819e59834fb1459a1625cb306e6

SHA256
81b1c57d88a4742b92f4124e7f2234f1ce871a43266324f721b696c72a1914b7

SHA512
f08507f04e3d902f20252beaaecd2e0ad6787a22ca24d73fc327525d7755faf41528afb238a9a95676cd353b0c617f2d074117c11fed645af57d066372ad2fba

Download Submit
C:\Windows\{F35AA2D8-13C8-4dc1-8649-D5CF2A8DF5DC}.exe

Filesize
89KB

MD5
0106bec3ffc5c9ccd8c42e0d2667e92f

SHA1
12b71d812eaf94a01f6f08c029c32c40cada9d95

SHA256
32e958890928783e3a321407513a8790aeb9c9c56fcdafc10cfc7280b0bab38f

SHA512
e48d9cf14d56e06ffb713b4fab0929c4e3f001bc4c36c542e05b96a5f74db9470f427547bcb6acbb0c8c4671a789ee5313719cd833f5b07fe35b8fea5ca31acc

Download Submit
C:\Windows\{F468ACF7-1879-4577-AF09-A04B27BDEDCF}.exe

Filesize
89KB

MD5
5366efec6bfdc7a7dfa4b4cc44e04230

SHA1
98a53b2548e042237d57a3e63b1637e62a996c58

SHA256
6c651557001f49bdb4695fa8c3848955ce4bcb5cd791268e2d179e19d6967e93

SHA512
afda1258046c3b6c0a6f2f7d07295ca670a88b8ea8cc3b8b635a314655ce8eebae99e4492d50fe5eb46df1b85ad5fd705007c08d268753884c77936a0c0136de

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads