718808e6d1498f946b742dd0c577e100570efa7f5055ad130dfcfb95abd9f19a

Analysis

max time kernel
118s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb44961145fa27f4afcc07a479c16fe0N.exe
Size

89KB
MD5

cb44961145fa27f4afcc07a479c16fe0
SHA1

98f814ea85463b1562a95ded1a45bb5a0d2332e8
SHA256

718808e6d1498f946b742dd0c577e100570efa7f5055ad130dfcfb95abd9f19a
SHA512

9473f0b16fee1bfd4f9b325f053268263ce75815ad64301e8ad1175039783ce69a690783ddf1909ec7da2ed909e9bfa24fc13e849078470c3990004918fec160
SSDEEP

768:5vw9816thKQLro44/wQkNrfrunMxVFA3k:lEG/0o4lbunMxVS3k

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}\stubpath = "C:\\Windows\\{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe"	{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CD0B9EB-32E9-4a96-B527-9BDE74128979}\stubpath = "C:\\Windows\\{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe"	{E865A40D-0723-43dc-A01A-34086C183D6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{437CB8E7-11C1-4791-B361-940A9E6C4385}\stubpath = "C:\\Windows\\{437CB8E7-11C1-4791-B361-940A9E6C4385}.exe"	{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}	cb44961145fa27f4afcc07a479c16fe0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59B8D4BD-603F-4c5c-B5EB-391159568DBE}\stubpath = "C:\\Windows\\{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe"	{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}\stubpath = "C:\\Windows\\{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe"	{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}	{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11EADA16-9C82-43ae-9DD9-37139DF598CD}\stubpath = "C:\\Windows\\{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe"	{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CD0B9EB-32E9-4a96-B527-9BDE74128979}	{E865A40D-0723-43dc-A01A-34086C183D6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59B8D4BD-603F-4c5c-B5EB-391159568DBE}	{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4AB3024-C151-446b-90B9-9C4AB4D5C086}\stubpath = "C:\\Windows\\{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe"	{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E865A40D-0723-43dc-A01A-34086C183D6C}\stubpath = "C:\\Windows\\{E865A40D-0723-43dc-A01A-34086C183D6C}.exe"	{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E865A40D-0723-43dc-A01A-34086C183D6C}	{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{437CB8E7-11C1-4791-B361-940A9E6C4385}	{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}\stubpath = "C:\\Windows\\{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe"	cb44961145fa27f4afcc07a479c16fe0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11EADA16-9C82-43ae-9DD9-37139DF598CD}	{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4AB3024-C151-446b-90B9-9C4AB4D5C086}	{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}	{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe

Executes dropped EXE 9 IoCs

pid	Process
1908	{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe
364	{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe
3276	{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe
3484	{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe
4900	{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe
4560	{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe
2736	{E865A40D-0723-43dc-A01A-34086C183D6C}.exe
1664	{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe
3920	{437CB8E7-11C1-4791-B361-940A9E6C4385}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe	{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe
File created	C:\Windows\{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe	{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe
File created	C:\Windows\{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe	{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe
File created	C:\Windows\{E865A40D-0723-43dc-A01A-34086C183D6C}.exe	{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe
File created	C:\Windows\{437CB8E7-11C1-4791-B361-940A9E6C4385}.exe	{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe
File created	C:\Windows\{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe	cb44961145fa27f4afcc07a479c16fe0N.exe
File created	C:\Windows\{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe	{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe
File created	C:\Windows\{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe	{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe
File created	C:\Windows\{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe	{E865A40D-0723-43dc-A01A-34086C183D6C}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{437CB8E7-11C1-4791-B361-940A9E6C4385}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb44961145fa27f4afcc07a479c16fe0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E865A40D-0723-43dc-A01A-34086C183D6C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3900	cb44961145fa27f4afcc07a479c16fe0N.exe
Token: SeIncBasePriorityPrivilege	1908	{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe
Token: SeIncBasePriorityPrivilege	364	{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe
Token: SeIncBasePriorityPrivilege	3276	{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe
Token: SeIncBasePriorityPrivilege	3484	{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe
Token: SeIncBasePriorityPrivilege	4900	{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe
Token: SeIncBasePriorityPrivilege	4560	{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe
Token: SeIncBasePriorityPrivilege	2736	{E865A40D-0723-43dc-A01A-34086C183D6C}.exe
Token: SeIncBasePriorityPrivilege	1664	{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 1908	3900	cb44961145fa27f4afcc07a479c16fe0N.exe	95
PID 3900 wrote to memory of 1908	3900	cb44961145fa27f4afcc07a479c16fe0N.exe	95
PID 3900 wrote to memory of 1908	3900	cb44961145fa27f4afcc07a479c16fe0N.exe	95
PID 3900 wrote to memory of 392	3900	cb44961145fa27f4afcc07a479c16fe0N.exe	96
PID 3900 wrote to memory of 392	3900	cb44961145fa27f4afcc07a479c16fe0N.exe	96
PID 3900 wrote to memory of 392	3900	cb44961145fa27f4afcc07a479c16fe0N.exe	96
PID 1908 wrote to memory of 364	1908	{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe	97
PID 1908 wrote to memory of 364	1908	{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe	97
PID 1908 wrote to memory of 364	1908	{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe	97
PID 1908 wrote to memory of 2812	1908	{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe	98
PID 1908 wrote to memory of 2812	1908	{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe	98
PID 1908 wrote to memory of 2812	1908	{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe	98
PID 364 wrote to memory of 3276	364	{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe	102
PID 364 wrote to memory of 3276	364	{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe	102
PID 364 wrote to memory of 3276	364	{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe	102
PID 364 wrote to memory of 3140	364	{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe	103
PID 364 wrote to memory of 3140	364	{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe	103
PID 364 wrote to memory of 3140	364	{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe	103
PID 3276 wrote to memory of 3484	3276	{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe	104
PID 3276 wrote to memory of 3484	3276	{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe	104
PID 3276 wrote to memory of 3484	3276	{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe	104
PID 3276 wrote to memory of 4220	3276	{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe	105
PID 3276 wrote to memory of 4220	3276	{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe	105
PID 3276 wrote to memory of 4220	3276	{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe	105
PID 3484 wrote to memory of 4900	3484	{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe	106
PID 3484 wrote to memory of 4900	3484	{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe	106
PID 3484 wrote to memory of 4900	3484	{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe	106
PID 3484 wrote to memory of 3168	3484	{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe	107
PID 3484 wrote to memory of 3168	3484	{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe	107
PID 3484 wrote to memory of 3168	3484	{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe	107
PID 4900 wrote to memory of 4560	4900	{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe	109
PID 4900 wrote to memory of 4560	4900	{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe	109
PID 4900 wrote to memory of 4560	4900	{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe	109
PID 4900 wrote to memory of 1728	4900	{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe	110
PID 4900 wrote to memory of 1728	4900	{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe	110
PID 4900 wrote to memory of 1728	4900	{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe	110
PID 4560 wrote to memory of 2736	4560	{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe	111
PID 4560 wrote to memory of 2736	4560	{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe	111
PID 4560 wrote to memory of 2736	4560	{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe	111
PID 4560 wrote to memory of 4504	4560	{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe	112
PID 4560 wrote to memory of 4504	4560	{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe	112
PID 4560 wrote to memory of 4504	4560	{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe	112
PID 2736 wrote to memory of 1664	2736	{E865A40D-0723-43dc-A01A-34086C183D6C}.exe	117
PID 2736 wrote to memory of 1664	2736	{E865A40D-0723-43dc-A01A-34086C183D6C}.exe	117
PID 2736 wrote to memory of 1664	2736	{E865A40D-0723-43dc-A01A-34086C183D6C}.exe	117
PID 2736 wrote to memory of 2172	2736	{E865A40D-0723-43dc-A01A-34086C183D6C}.exe	118
PID 2736 wrote to memory of 2172	2736	{E865A40D-0723-43dc-A01A-34086C183D6C}.exe	118
PID 2736 wrote to memory of 2172	2736	{E865A40D-0723-43dc-A01A-34086C183D6C}.exe	118
PID 1664 wrote to memory of 3920	1664	{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe	123
PID 1664 wrote to memory of 3920	1664	{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe	123
PID 1664 wrote to memory of 3920	1664	{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe	123
PID 1664 wrote to memory of 3344	1664	{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe	124
PID 1664 wrote to memory of 3344	1664	{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe	124
PID 1664 wrote to memory of 3344	1664	{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe	124

C:\Users\Admin\AppData\Local\Temp\cb44961145fa27f4afcc07a479c16fe0N.exe
"C:\Users\Admin\AppData\Local\Temp\cb44961145fa27f4afcc07a479c16fe0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe
  C:\Windows\{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe
    C:\Windows\{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Windows\{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe
      C:\Windows\{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Windows\{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe
        
        C:\Windows\{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe
        
        C:\Windows\{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe
        
        C:\Windows\{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{E865A40D-0723-43dc-A01A-34086C183D6C}.exe
        
        C:\Windows\{E865A40D-0723-43dc-A01A-34086C183D6C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe
        
        C:\Windows\{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{437CB8E7-11C1-4791-B361-940A9E6C4385}.exe
        
        C:\Windows\{437CB8E7-11C1-4791-B361-940A9E6C4385}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CD0B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E865A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FC85~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{376D4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4AB3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59B8D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{11EAD~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9CDF0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CB4496~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CD0B9EB-32E9-4a96-B527-9BDE74128979}.exe

Filesize
89KB

MD5
aaa3c2c69c2435b8f1f5a7f3ee87f2d1

SHA1
d3a7682652619ea834f78c0a4d14179e9004f9d8

SHA256
ab66d7122ed5c40852204cab148b44ef6e965ce4485d0103bffd5c3cf8250240

SHA512
ab83e51e70ec0448630e86a3b45428e1c71fee6f99553ab528305f3ad9025e01a95b4eea80f3e63e42cde42f425a70f895bcacc928cad9a0456a48d0dd6ba100

Download Submit
C:\Windows\{0FC852CC-4DB5-492c-9ED7-0627CF9F22BF}.exe

Filesize
89KB

MD5
42a58f2ccf6d28f879f292b654dca738

SHA1
ce256033875cfdb84b53b68e3885732b26ffd40c

SHA256
6ca9efbc06f5cb081208d61cea5f5d4db3fc0ec19aa9cba14ef6d93b1eb2f2e0

SHA512
fd0af15311cba742df0f97471403d53d1ce23ef8df8ae7f5412657a2448cb94dc218281087ac192d1a716de356df15070a84ec7f9f97481fa543f539a362592c

Download Submit
C:\Windows\{11EADA16-9C82-43ae-9DD9-37139DF598CD}.exe

Filesize
89KB

MD5
9771b788e9d4c3406d759cb9e3714c47

SHA1
44366ebbea5e5d55da35eae849eaedfdbd158275

SHA256
43e37ab0cccb3fff6d6de2e7490d11a16f770b2aa4fa21db49bd72a5e2495d3d

SHA512
d97f3bf122f03971d44d2c2fc12ce648b2f5b9e646f09c28366083bae8048be15cc3a32f1de84698c22b5b33adaa3ad60c90ad3ba9ae2527934a415233e47c72

Download Submit
C:\Windows\{376D4A62-C67C-42eb-A5DC-8F85D2C38B06}.exe

Filesize
89KB

MD5
0c9473d9c7b2c9f370623d278413e9d6

SHA1
0eba7ca3af26bfbc239744f9994bf7bd5a14d0d8

SHA256
211d297068af9590708aae7cdc74d83f69d2af8bc846ac1d8806427cbeca3b4d

SHA512
646d66888027c7fef72c4ee3c2a97dea193dbeffb56a3abc411829f9d307553886d4a47208c519611928b5e7810c7f24a63a0a1f7c998411083309a0870e012c

Download Submit
C:\Windows\{437CB8E7-11C1-4791-B361-940A9E6C4385}.exe

Filesize
89KB

MD5
37f06b5c686803631e28c852c1869733

SHA1
88c6be4841d4f18d4d0bed963a7cc4ff35b25b66

SHA256
5d96fb3bd9076bfe297a29de619db8f748b9344ce341279d96453126dbf75ed3

SHA512
b001ca156f382a87db588b24fd2dba7450b7d7b53071de970a373f47bd1e5e29e6b03382bf45a19b1c17c369c5effc5b6c562f3047c20a2e912ac547e0c0f22c

Download Submit
C:\Windows\{59B8D4BD-603F-4c5c-B5EB-391159568DBE}.exe

Filesize
89KB

MD5
2840153217845d9f7598154ee9585776

SHA1
b104f500f5907a981ee0ddb1edcc05401cf998d1

SHA256
935b493cf2699f40fc822cb8901e7c280b27907c603688404b237d5d7f45f653

SHA512
2575c058013c800c3b09cec73025bae25479c35ff2c6fcbfe5987fa7baa119307530bb0ff09fef5a9329d5f5ca5aeccfef3cf5c254236e05544933795801a173

Download Submit
C:\Windows\{9CDF01CF-6EFD-44d9-AD50-F46106CEB630}.exe

Filesize
89KB

MD5
c83fb5f49777f3b99d46f8285e9ad505

SHA1
00b70f26f553621c250b08ad49728ddf5bfa7693

SHA256
9b7670f2b4fc53917016d527ca6bffaee83ea1fd07f4ab9430f35b460e8156b0

SHA512
f7fdabe73c34ed98f0d6f8458d306afd56faafbcb5a5e9007a5459c92d8471961cfce55802f8119a1c64d198afea9194bbe4c4e36153a7eadc9c2dd142074d6a

Download Submit
C:\Windows\{B4AB3024-C151-446b-90B9-9C4AB4D5C086}.exe

Filesize
89KB

MD5
2a1ad310622140426481179dd7f136c7

SHA1
84db652a7748b36174ba73eb329e9899d7a278c7

SHA256
88f0a3bbf061363ea831317830be8dc68b805c5e15e692d9a1f4d9656ce69820

SHA512
3703e772a415b3ab7b6c31e7d0b7dbbaaf17623e348d17ffd6fb5286aff8d8d3dc022cfe5a984fbbf2bd001220c9e8a3ddd1a2a3d2fa8155f27e8f038834587b

Download Submit
C:\Windows\{E865A40D-0723-43dc-A01A-34086C183D6C}.exe

Filesize
89KB

MD5
438f67ed86d34dc3c6933f74a4347920

SHA1
f7256ae5b0eac73349c7c4e2a75c9cca9f4682fc

SHA256
260197d2d438b16b925bef48c019e7dc43271e8358a44a73cf8ef3a7e67ab411

SHA512
f91211dfd6e45dcf3e96df84ba3125d142cc18b2f1317eaf289df49dbb8893eb750e6dc18bdaf5a12ba14838572a7871f8064ea9218cbcfb9999af8e9053df47

Download Submit
memory/364-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/364-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1664-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1664-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1908-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1908-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1908-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2736-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2736-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3276-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3276-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3484-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3484-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3900-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3900-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3900-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4560-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4900-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4900-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads