68840a87e639955e250fb993bde51a88b2319afcc84f3aa25cbfb22bf8f9a700

Analysis

max time kernel
118s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
Size

90KB
MD5

72a9fe6afe0c0e2d6fa95bbfb9e5c150
SHA1

5bd497e0eb8d382484ae2ca33f01778bcbff2620
SHA256

68840a87e639955e250fb993bde51a88b2319afcc84f3aa25cbfb22bf8f9a700
SHA512

fa79bc670dc9db05c25904d1d8f72686668c171edac65356eb512b7992e251a37c388b2d7c2a23bf6b5a397afadb90b0c7c266e287c55cf914da7a00c73a432e
SSDEEP

768:Qvw9816vhKQLro/4/wQRNrfrunMxVFA3b7glw6:YEGh0o/l2unMxVS3Hgl

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{796A994C-81B6-4743-971B-4D919F718F52}\stubpath = "C:\\Windows\\{796A994C-81B6-4743-971B-4D919F718F52}.exe"	{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7E79622-2155-46dc-9449-D7B0DC713369}	{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{477EC86A-B95A-4b81-B263-87C58D3562BE}	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{477EC86A-B95A-4b81-B263-87C58D3562BE}\stubpath = "C:\\Windows\\{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe"	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70778BD2-4621-4b1c-92E5-D51EA84106A7}\stubpath = "C:\\Windows\\{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe"	{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25B61D98-0542-4688-85C5-1AFBED8A0E76}	{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25B61D98-0542-4688-85C5-1AFBED8A0E76}\stubpath = "C:\\Windows\\{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe"	{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D21CC69F-5C30-48b0-BD6E-E239E7547840}	{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D21CC69F-5C30-48b0-BD6E-E239E7547840}\stubpath = "C:\\Windows\\{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe"	{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12BF12DA-4529-48b9-904B-0FD30EC86CD9}\stubpath = "C:\\Windows\\{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe"	{796A994C-81B6-4743-971B-4D919F718F52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AF43264-5526-4612-B0D7-230C94BD92E2}\stubpath = "C:\\Windows\\{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe"	{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7E79622-2155-46dc-9449-D7B0DC713369}\stubpath = "C:\\Windows\\{A7E79622-2155-46dc-9449-D7B0DC713369}.exe"	{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9E88644-842F-4ffe-96AE-7A95BECE65E3}	{A7E79622-2155-46dc-9449-D7B0DC713369}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9E88644-842F-4ffe-96AE-7A95BECE65E3}\stubpath = "C:\\Windows\\{D9E88644-842F-4ffe-96AE-7A95BECE65E3}.exe"	{A7E79622-2155-46dc-9449-D7B0DC713369}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70778BD2-4621-4b1c-92E5-D51EA84106A7}	{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{796A994C-81B6-4743-971B-4D919F718F52}	{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12BF12DA-4529-48b9-904B-0FD30EC86CD9}	{796A994C-81B6-4743-971B-4D919F718F52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AF43264-5526-4612-B0D7-230C94BD92E2}	{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe

Executes dropped EXE 9 IoCs

pid	Process
3032	{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe
992	{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe
4932	{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe
1564	{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe
2616	{796A994C-81B6-4743-971B-4D919F718F52}.exe
2580	{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe
4668	{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe
3756	{A7E79622-2155-46dc-9449-D7B0DC713369}.exe
3528	{D9E88644-842F-4ffe-96AE-7A95BECE65E3}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe	{796A994C-81B6-4743-971B-4D919F718F52}.exe
File created	C:\Windows\{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe	{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe
File created	C:\Windows\{A7E79622-2155-46dc-9449-D7B0DC713369}.exe	{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe
File created	C:\Windows\{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe	{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe
File created	C:\Windows\{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe	{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe
File created	C:\Windows\{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe	{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe
File created	C:\Windows\{796A994C-81B6-4743-971B-4D919F718F52}.exe	{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe
File created	C:\Windows\{D9E88644-842F-4ffe-96AE-7A95BECE65E3}.exe	{A7E79622-2155-46dc-9449-D7B0DC713369}.exe
File created	C:\Windows\{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7E79622-2155-46dc-9449-D7B0DC713369}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D9E88644-842F-4ffe-96AE-7A95BECE65E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{796A994C-81B6-4743-971B-4D919F718F52}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1632	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
Token: SeIncBasePriorityPrivilege	3032	{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe
Token: SeIncBasePriorityPrivilege	992	{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe
Token: SeIncBasePriorityPrivilege	4932	{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe
Token: SeIncBasePriorityPrivilege	1564	{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe
Token: SeIncBasePriorityPrivilege	2616	{796A994C-81B6-4743-971B-4D919F718F52}.exe
Token: SeIncBasePriorityPrivilege	2580	{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe
Token: SeIncBasePriorityPrivilege	4668	{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe
Token: SeIncBasePriorityPrivilege	3756	{A7E79622-2155-46dc-9449-D7B0DC713369}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 3032	1632	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	95
PID 1632 wrote to memory of 3032	1632	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	95
PID 1632 wrote to memory of 3032	1632	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	95
PID 1632 wrote to memory of 4548	1632	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	96
PID 1632 wrote to memory of 4548	1632	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	96
PID 1632 wrote to memory of 4548	1632	72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe	96
PID 3032 wrote to memory of 992	3032	{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe	97
PID 3032 wrote to memory of 992	3032	{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe	97
PID 3032 wrote to memory of 992	3032	{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe	97
PID 3032 wrote to memory of 3180	3032	{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe	98
PID 3032 wrote to memory of 3180	3032	{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe	98
PID 3032 wrote to memory of 3180	3032	{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe	98
PID 992 wrote to memory of 4932	992	{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe	102
PID 992 wrote to memory of 4932	992	{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe	102
PID 992 wrote to memory of 4932	992	{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe	102
PID 992 wrote to memory of 2544	992	{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe	103
PID 992 wrote to memory of 2544	992	{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe	103
PID 992 wrote to memory of 2544	992	{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe	103
PID 4932 wrote to memory of 1564	4932	{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe	104
PID 4932 wrote to memory of 1564	4932	{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe	104
PID 4932 wrote to memory of 1564	4932	{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe	104
PID 4932 wrote to memory of 4340	4932	{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe	105
PID 4932 wrote to memory of 4340	4932	{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe	105
PID 4932 wrote to memory of 4340	4932	{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe	105
PID 1564 wrote to memory of 2616	1564	{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe	106
PID 1564 wrote to memory of 2616	1564	{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe	106
PID 1564 wrote to memory of 2616	1564	{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe	106
PID 1564 wrote to memory of 3540	1564	{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe	107
PID 1564 wrote to memory of 3540	1564	{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe	107
PID 1564 wrote to memory of 3540	1564	{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe	107
PID 2616 wrote to memory of 2580	2616	{796A994C-81B6-4743-971B-4D919F718F52}.exe	109
PID 2616 wrote to memory of 2580	2616	{796A994C-81B6-4743-971B-4D919F718F52}.exe	109
PID 2616 wrote to memory of 2580	2616	{796A994C-81B6-4743-971B-4D919F718F52}.exe	109
PID 2616 wrote to memory of 1948	2616	{796A994C-81B6-4743-971B-4D919F718F52}.exe	110
PID 2616 wrote to memory of 1948	2616	{796A994C-81B6-4743-971B-4D919F718F52}.exe	110
PID 2616 wrote to memory of 1948	2616	{796A994C-81B6-4743-971B-4D919F718F52}.exe	110
PID 2580 wrote to memory of 4668	2580	{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe	111
PID 2580 wrote to memory of 4668	2580	{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe	111
PID 2580 wrote to memory of 4668	2580	{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe	111
PID 2580 wrote to memory of 3964	2580	{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe	112
PID 2580 wrote to memory of 3964	2580	{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe	112
PID 2580 wrote to memory of 3964	2580	{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe	112
PID 4668 wrote to memory of 3756	4668	{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe	117
PID 4668 wrote to memory of 3756	4668	{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe	117
PID 4668 wrote to memory of 3756	4668	{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe	117
PID 4668 wrote to memory of 2096	4668	{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe	118
PID 4668 wrote to memory of 2096	4668	{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe	118
PID 4668 wrote to memory of 2096	4668	{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe	118
PID 3756 wrote to memory of 3528	3756	{A7E79622-2155-46dc-9449-D7B0DC713369}.exe	123
PID 3756 wrote to memory of 3528	3756	{A7E79622-2155-46dc-9449-D7B0DC713369}.exe	123
PID 3756 wrote to memory of 3528	3756	{A7E79622-2155-46dc-9449-D7B0DC713369}.exe	123
PID 3756 wrote to memory of 2696	3756	{A7E79622-2155-46dc-9449-D7B0DC713369}.exe	124
PID 3756 wrote to memory of 2696	3756	{A7E79622-2155-46dc-9449-D7B0DC713369}.exe	124
PID 3756 wrote to memory of 2696	3756	{A7E79622-2155-46dc-9449-D7B0DC713369}.exe	124

C:\Users\Admin\AppData\Local\Temp\72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
"C:\Users\Admin\AppData\Local\Temp\72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe
  C:\Windows\{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe
    C:\Windows\{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe
      C:\Windows\{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Windows\{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe
        
        C:\Windows\{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
      - C:\Windows\{796A994C-81B6-4743-971B-4D919F718F52}.exe
        
        C:\Windows\{796A994C-81B6-4743-971B-4D919F718F52}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe
        
        C:\Windows\{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe
        
        C:\Windows\{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\{A7E79622-2155-46dc-9449-D7B0DC713369}.exe
        
        C:\Windows\{A7E79622-2155-46dc-9449-D7B0DC713369}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\{D9E88644-842F-4ffe-96AE-7A95BECE65E3}.exe
        
        C:\Windows\{D9E88644-842F-4ffe-96AE-7A95BECE65E3}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7E79~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AF43~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12BF1~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{796A9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25B61~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70778~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D21CC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{477EC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\72A9FE~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe

Filesize
90KB

MD5
461935fef9e7c45617388ecdb0aaa35f

SHA1
eb0a7d3d4d867985027e1f144959c9b6e3e614b7

SHA256
e8b4419f27ae7290e02e031c04c4c13d921ee6f52a7f953eb2ce37b9fc383152

SHA512
824803ce3b8a1f5555e38f5e4d2538305e88a8e22a33dd5eea632e6d8366c816715fb4fc613b9835258bbe3796a55873f581f936449dcf991e1ef3b529f75a2b

Download Submit
C:\Windows\{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe

Filesize
90KB

MD5
70575a628f23e8012dea7b2be765d139

SHA1
ad4a620604c57b71f397d4f0fe5e8f34efc779f6

SHA256
313e9e890c054b8e2464541a3bca96b8e3ce105cf554e34d4756cd881f42b18e

SHA512
86ab472262635ca0ac2abd2b18e02e8dbd8077d2f5e9147b30388d1fa5410edccf92c8cb160f4844abdd4ce2c8743dfc723f78125e464b3b67d4254e320bceef

Download Submit
C:\Windows\{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe

Filesize
90KB

MD5
0e168461fc18a373d742b163fdfd69ed

SHA1
920eddedf2ed44e8d78a80f4fe896c2431b1c30e

SHA256
78507aec14c17c3e561fec2adaa036861e1939d0e2248f0d08808d2b7dfb49a6

SHA512
706a18f4a3f33f03d4397e064fa33075cb965ed68e7605ce31a1c8fcf5f0a80ef989e1e534b8b33fef9efb44e724055ef98810d74cff8853b6b15536e251efd2

Download Submit
C:\Windows\{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe

Filesize
90KB

MD5
21603c8cbe0586fba94942cdfd0dbcdc

SHA1
cd3459f1dc11cb5154118d1b5f035a302d9da2de

SHA256
bc2388d9bde933760b13edeaffc51ee79657f964f3706affd777892490859c97

SHA512
c6b6c59b3900f7d7bd6e68f7305cbf5686f0589da4a29306c4998d9556fd4ea83e4319b886e1edce51587871521c3f4a62617fd52ebf7a422c7f38fcab4c75c7

Download Submit
C:\Windows\{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe

Filesize
90KB

MD5
082732b6e8f0bd0d07b03aa5e1b58b61

SHA1
b7a57efc1e2c7e1b3e2a42d20b232fc9ef8dcb97

SHA256
d7a012e9881c85f4ef7f941d6f3ab31057b9bdd1c4974dfd0db2a8e236cbd5cd

SHA512
fe3ba88f500ef01a5a10838092d79119f971fb72a658c55d2f2ec143e599ece39b0958eac10fcc7798777ccc1566709f2610e0dd8e61fa6d40a24ff25b73dd8b

Download Submit
C:\Windows\{796A994C-81B6-4743-971B-4D919F718F52}.exe

Filesize
90KB

MD5
f2be8e118a25b070b3b742e1d40aa4e5

SHA1
5650229737c8d547a9683846797c5730d5bb66d9

SHA256
69044b72755827a0043a866127d414682dd10ad3c78850e237ac771af996198b

SHA512
b7e44b69b9c9fac2f32cca660f504deaafe83e9dab305e158819db6c29c23087365ba68866fec73fa75324c35475322e4c37b1c30ce3e7217b667aad5d980a3d

Download Submit
C:\Windows\{A7E79622-2155-46dc-9449-D7B0DC713369}.exe

Filesize
90KB

MD5
4ff33719b462dc7694fc5769daae4f2a

SHA1
84df3f20ddec6b8a8abf120dd4923c85d91e159a

SHA256
03d4fa4677bd4c9bceaea22a7981f7c66236066216e3bc6900d7fba51e5cd5e8

SHA512
acb54ae6066a2e4159ce0c8e00cbdee9230d4fca7d6a2031bb5d1937ceb9f71b7ba5016715a64fd6259cb0e2e0e76fa7d44fc97d79585c757379012b9b4a4abe

Download Submit
C:\Windows\{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe

Filesize
90KB

MD5
ea153d9f2c0430645bbb70107d452759

SHA1
eff80a2a9bbaf786ecc5741fb0ec416220504c14

SHA256
af6b6bd0030a5e6e154f6cb9323382ed1685689697e8d366291ce3da931c041d

SHA512
606f9e497d68f246dc0648dc43650405af59156b9e11fb49ae7250d3341dd602de657e73297601b2cb065582f1054d326b07f4f6e55fe7f9efd30982a785ff32

Download Submit
C:\Windows\{D9E88644-842F-4ffe-96AE-7A95BECE65E3}.exe

Filesize
90KB

MD5
9e2029db1021ecccc822cfaf8e11946a

SHA1
c8796e2f6aa39afa3d06a833387cbaaedfd0d7b1

SHA256
0e8bb0078651851381863fb69680d993115a75fb8791ced546c62b848238763f

SHA512
50e292b232f216131324e1fec3edb17fe7810118c0b6a62ff93b5a5c3098e2ddd071fb1c0e71db9c443201ae696ccc213d520c35b2f96baab56092059fc62564

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads