68840a87e639955e250fb993bde51a88b2319afcc84f3aa25cbfb22bf8f9a700

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
Size

90KB
MD5

72a9fe6afe0c0e2d6fa95bbfb9e5c150
SHA1

5bd497e0eb8d382484ae2ca33f01778bcbff2620
SHA256

68840a87e639955e250fb993bde51a88b2319afcc84f3aa25cbfb22bf8f9a700
SHA512

fa79bc670dc9db05c25904d1d8f72686668c171edac65356eb512b7992e251a37c388b2d7c2a23bf6b5a397afadb90b0c7c266e287c55cf914da7a00c73a432e
SSDEEP

768:Qvw9816vhKQLro/4/wQRNrfrunMxVFA3b7glw6:YEGh0o/l2unMxVS3Hgl

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}\stubpath = "C:\\Windows\\{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe"	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}\stubpath = "C:\\Windows\\{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe"	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBB7C245-83BF-41cd-9476-F06A48067FB9}\stubpath = "C:\\Windows\\{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe"	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A622D3A-8BFA-444c-B5EE-6DC8375CCCA8}	{9569FC1A-979F-4e58-A362-FC840F541349}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90AB0F41-FD58-46e0-A990-26658B2B16B7}	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90AB0F41-FD58-46e0-A990-26658B2B16B7}\stubpath = "C:\\Windows\\{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe"	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9569FC1A-979F-4e58-A362-FC840F541349}\stubpath = "C:\\Windows\\{9569FC1A-979F-4e58-A362-FC840F541349}.exe"	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A622D3A-8BFA-444c-B5EE-6DC8375CCCA8}\stubpath = "C:\\Windows\\{2A622D3A-8BFA-444c-B5EE-6DC8375CCCA8}.exe"	{9569FC1A-979F-4e58-A362-FC840F541349}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}\stubpath = "C:\\Windows\\{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe"	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14CEB388-2722-4e8e-BC9A-3BA233980C05}	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBB7C245-83BF-41cd-9476-F06A48067FB9}	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7050A30-EF3A-4f07-B651-253FB7E4A48D}	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7050A30-EF3A-4f07-B651-253FB7E4A48D}\stubpath = "C:\\Windows\\{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe"	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9569FC1A-979F-4e58-A362-FC840F541349}	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14CEB388-2722-4e8e-BC9A-3BA233980C05}\stubpath = "C:\\Windows\\{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe"	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe

Deletes itself 1 IoCs

pid	Process
2436	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2948	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe
2632	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe
3056	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe
2664	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe
2456	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe
1420	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe
1692	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe
1888	{9569FC1A-979F-4e58-A362-FC840F541349}.exe
1120	{2A622D3A-8BFA-444c-B5EE-6DC8375CCCA8}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe
File created	C:\Windows\{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe
File created	C:\Windows\{9569FC1A-979F-4e58-A362-FC840F541349}.exe	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe
File created	C:\Windows\{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
File created	C:\Windows\{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe
File created	C:\Windows\{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe
File created	C:\Windows\{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe
File created	C:\Windows\{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe
File created	C:\Windows\{2A622D3A-8BFA-444c-B5EE-6DC8375CCCA8}.exe	{9569FC1A-979F-4e58-A362-FC840F541349}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9569FC1A-979F-4e58-A362-FC840F541349}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A622D3A-8BFA-444c-B5EE-6DC8375CCCA8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2072	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
Token: SeIncBasePriorityPrivilege	2948	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe
Token: SeIncBasePriorityPrivilege	2632	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe
Token: SeIncBasePriorityPrivilege	3056	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe
Token: SeIncBasePriorityPrivilege	2664	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe
Token: SeIncBasePriorityPrivilege	2456	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe
Token: SeIncBasePriorityPrivilege	1420	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe
Token: SeIncBasePriorityPrivilege	1692	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe
Token: SeIncBasePriorityPrivilege	1888	{9569FC1A-979F-4e58-A362-FC840F541349}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2948	2072	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	31
PID 2072 wrote to memory of 2948	2072	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	31
PID 2072 wrote to memory of 2948	2072	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	31
PID 2072 wrote to memory of 2948	2072	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	31
PID 2072 wrote to memory of 2436	2072	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	32
PID 2072 wrote to memory of 2436	2072	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	32
PID 2072 wrote to memory of 2436	2072	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	32
PID 2072 wrote to memory of 2436	2072	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	32
PID 2948 wrote to memory of 2632	2948	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe	33
PID 2948 wrote to memory of 2632	2948	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe	33
PID 2948 wrote to memory of 2632	2948	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe	33
PID 2948 wrote to memory of 2632	2948	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe	33
PID 2948 wrote to memory of 2748	2948	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe	34
PID 2948 wrote to memory of 2748	2948	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe	34
PID 2948 wrote to memory of 2748	2948	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe	34
PID 2948 wrote to memory of 2748	2948	{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe	34
PID 2632 wrote to memory of 3056	2632	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe	35
PID 2632 wrote to memory of 3056	2632	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe	35
PID 2632 wrote to memory of 3056	2632	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe	35
PID 2632 wrote to memory of 3056	2632	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe	35
PID 2632 wrote to memory of 2564	2632	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe	36
PID 2632 wrote to memory of 2564	2632	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe	36
PID 2632 wrote to memory of 2564	2632	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe	36
PID 2632 wrote to memory of 2564	2632	{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe	36
PID 3056 wrote to memory of 2664	3056	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe	37
PID 3056 wrote to memory of 2664	3056	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe	37
PID 3056 wrote to memory of 2664	3056	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe	37
PID 3056 wrote to memory of 2664	3056	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe	37
PID 3056 wrote to memory of 2308	3056	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe	38
PID 3056 wrote to memory of 2308	3056	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe	38
PID 3056 wrote to memory of 2308	3056	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe	38
PID 3056 wrote to memory of 2308	3056	{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe	38
PID 2664 wrote to memory of 2456	2664	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe	39
PID 2664 wrote to memory of 2456	2664	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe	39
PID 2664 wrote to memory of 2456	2664	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe	39
PID 2664 wrote to memory of 2456	2664	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe	39
PID 2664 wrote to memory of 2972	2664	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe	40
PID 2664 wrote to memory of 2972	2664	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe	40
PID 2664 wrote to memory of 2972	2664	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe	40
PID 2664 wrote to memory of 2972	2664	{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe	40
PID 2456 wrote to memory of 1420	2456	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe	41
PID 2456 wrote to memory of 1420	2456	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe	41
PID 2456 wrote to memory of 1420	2456	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe	41
PID 2456 wrote to memory of 1420	2456	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe	41
PID 2456 wrote to memory of 1388	2456	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe	42
PID 2456 wrote to memory of 1388	2456	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe	42
PID 2456 wrote to memory of 1388	2456	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe	42
PID 2456 wrote to memory of 1388	2456	{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe	42
PID 1420 wrote to memory of 1692	1420	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe	43
PID 1420 wrote to memory of 1692	1420	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe	43
PID 1420 wrote to memory of 1692	1420	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe	43
PID 1420 wrote to memory of 1692	1420	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe	43
PID 1420 wrote to memory of 1852	1420	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe	44
PID 1420 wrote to memory of 1852	1420	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe	44
PID 1420 wrote to memory of 1852	1420	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe	44
PID 1420 wrote to memory of 1852	1420	{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe	44
PID 1692 wrote to memory of 1888	1692	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe	45
PID 1692 wrote to memory of 1888	1692	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe	45
PID 1692 wrote to memory of 1888	1692	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe	45
PID 1692 wrote to memory of 1888	1692	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe	45
PID 1692 wrote to memory of 1748	1692	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe	46
PID 1692 wrote to memory of 1748	1692	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe	46
PID 1692 wrote to memory of 1748	1692	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe	46
PID 1692 wrote to memory of 1748	1692	{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe	46

C:\Users\Admin\AppData\Local\Temp\72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
"C:\Users\Admin\AppData\Local\Temp\72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe
  C:\Windows\{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe
    C:\Windows\{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe
      C:\Windows\{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe
        
        C:\Windows\{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe
        
        C:\Windows\{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe
        
        C:\Windows\{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe
        
        C:\Windows\{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\{9569FC1A-979F-4e58-A362-FC840F541349}.exe
        
        C:\Windows\{9569FC1A-979F-4e58-A362-FC840F541349}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\{2A622D3A-8BFA-444c-B5EE-6DC8375CCCA8}.exe
        
        C:\Windows\{2A622D3A-8BFA-444c-B5EE-6DC8375CCCA8}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9569F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7050~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBB7C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14CEB~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E483E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5FE7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6105B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{90AB0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\72A9FE~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14CEB388-2722-4e8e-BC9A-3BA233980C05}.exe

Filesize
90KB

MD5
c017857f727f6c7a3cb3c9e1b6a16b9e

SHA1
41ecb5f417dc138931f3c857094d5a0753046ea0

SHA256
c724a2587a3fb312831ed9e98c0d5fa2c87baf0a4b683867023698e1c970f7d0

SHA512
350daa76c2c72d2c30601c7e39c87d47375d85f36ae6c3552bbf9a601b7a208b9a184a54d726783e87aa9b9de80a3a92cee30ff895355d8f8384b0cf010e2016

Download Submit
C:\Windows\{2A622D3A-8BFA-444c-B5EE-6DC8375CCCA8}.exe

Filesize
90KB

MD5
ae40f28a919088787d45b444e9d2dfc9

SHA1
7b90106324965fec55b29dd251a3c2cd78baa806

SHA256
04942626e269c2a19dea2c13436669ae1f8e8acb07a5080bf6abbb75a9162b41

SHA512
799431c2046a830fde94a2302d0636f19f3e72c0175a76e2060c5adad05a8555affd771138670f8929f8055e9c4053603d59339ef9c4f18096ea17b73bf8884d

Download Submit
C:\Windows\{6105B4B4-FF6E-4cac-83D5-D60BB0E715DB}.exe

Filesize
90KB

MD5
282f2b608010e08374b7b6072bcc51f4

SHA1
c9e3cc98223f045a6afeb1582b616c4fcd8b1c3c

SHA256
8cb85042b74a50df43f13a7a2dad5bf3c041c125cc97b0a6ac2e8b762f916f26

SHA512
eab62c6d529dd69a0e8ef63933760e28d5719091cf011295a76d2a975b7a304edfc5c5bbdb6f2972bf047d8ef16448cc1969affc45140f7e5c0193347b97efc4

Download Submit
C:\Windows\{90AB0F41-FD58-46e0-A990-26658B2B16B7}.exe

Filesize
90KB

MD5
78acf01e5ce8155ae78bab593f1d90ec

SHA1
99c5afae1450ca902a46a5ab0062fb40a5602f7b

SHA256
00e2f4b696eaaffcdc67b15183b9f97fcfa6866de251ed8f7eb7771da67372ed

SHA512
5eb89870631205f4cbd93d04d2092a390ffd93f977c2c8a59dd855508a7fcacd1b9f404fb2ebd7a23080dfd86b840dbb2406a94252b1e28e170bf462803c4231

Download Submit
C:\Windows\{9569FC1A-979F-4e58-A362-FC840F541349}.exe

Filesize
90KB

MD5
6a4ac95d9165cef614fd70d02677e025

SHA1
75d7cbd962ec6bbdc88e44363face6618ceb1c3d

SHA256
257cfef3080c1b8042cc3645d3059f0d0561bdf70e89fd617b37e4b4e2854bda

SHA512
ebd25ef804f0c4ce3990d696171bd83ab68744d2ca404146f9135cb19de5690b356aa97b68c41f771623608e1c6eedca456b3ea33b5ec27168ac77372c99788c

Download Submit
C:\Windows\{C5FE7D8C-767C-43a3-83FA-69BF87AFBB56}.exe

Filesize
90KB

MD5
d280e0614e08b060b1374db51d4a6884

SHA1
ba039d3e13516e5ad27aa42c71f212e5474eb07b

SHA256
1fc8810ddb3fefa8fcf7055bf43d4b6ac759d1e266422a27105f6340780555f3

SHA512
e194cc399d31be505a25aedc4085cf073c9072b8d4e28d332e50c9c3c0d77b60e57e9716d90483e5cb578447519a7711231ee3c253b6d27c7d08bd57f3d1d294

Download Submit
C:\Windows\{C7050A30-EF3A-4f07-B651-253FB7E4A48D}.exe

Filesize
90KB

MD5
647e6dfdb3a0bb7627e36ce7e200be7a

SHA1
0493c94d84fde48087d1240fc1d12253898b4157

SHA256
8b18d9a1d16827e94f3fdc173ebf3d4e1ee492558d423153fc5aa64905680443

SHA512
df76c1174d783618712123e517d118bfe4640ae0c7148b14e19959b3ddb6ff7d91b6342bbcba927362ddd0cb0398ff097782e0c3e31d1cefa4a056882cff7e54

Download Submit
C:\Windows\{DBB7C245-83BF-41cd-9476-F06A48067FB9}.exe

Filesize
90KB

MD5
780f5397f8cb88f23ca464670ccf6169

SHA1
e9d36ff15b38232331bc1e9ca6309c32dee55af5

SHA256
5eb991171f7a58c6e4837ebb89e504372517c438b5e5eaa76c1f7f92079bb44a

SHA512
afb2911e5f0146b7031cc9470ba5b35e192e9199f4d6123cc0a2d66bfd57bd2174c19182fae580506bd6a43e3bf552775d1db33f0ad899a57067278e1dd04cd8

Download Submit
C:\Windows\{E483EFAE-B6DA-43fe-BE91-56850E8C6D87}.exe

Filesize
90KB

MD5
ca117b85e42be31252f53988a92df088

SHA1
df3b826794901d55c053d95f8318d05f1ee2e4c8

SHA256
066896010e8fa92f93b92d0e65097afcb4a134899783f6c58cdc3b327e00d240

SHA512
e7e9986e8624f6909caca2eeb2ba5985c69df0d49ae1e6dbf6a60fb10235b1bc968866e9382e7c876059e484ec819c1b69623235f63c83b40963565649a3116d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads