895e73ada2bbd57e122c9dffad787a84fddce5e4a132253f22c9c27cff3a96d4

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20b2db18fb06fba12487960d61359070N.exe
Size

91KB
MD5

20b2db18fb06fba12487960d61359070
SHA1

e26f2a49f6975c727554a4be8256b86f0d6df859
SHA256

895e73ada2bbd57e122c9dffad787a84fddce5e4a132253f22c9c27cff3a96d4
SHA512

860be0f7c2f0c902721fc231234cadf17118ce2b04a5fce4aa9dab6f067cafea83e2f7d6b47e0592eac15f16d952c38347e89e7abb5fea73aa253b21c94107e6
SSDEEP

768:5vw9816uhKiro74/wQNNrfrunMxVFA3b7t:lEGkmo7lCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B2C2F49-5371-4c55-A7C5-549AAC45C8A9}\stubpath = "C:\\Windows\\{6B2C2F49-5371-4c55-A7C5-549AAC45C8A9}.exe"	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83C486D-4699-4975-A5E8-3BCE9D614CAE}\stubpath = "C:\\Windows\\{E83C486D-4699-4975-A5E8-3BCE9D614CAE}.exe"	{6B2C2F49-5371-4c55-A7C5-549AAC45C8A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{447F81DB-30A2-4e87-9B84-9689D0BE11B7}\stubpath = "C:\\Windows\\{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe"	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}\stubpath = "C:\\Windows\\{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe"	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99537D22-920D-4107-AEDA-28EE31F1DB84}	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}	20b2db18fb06fba12487960d61359070N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}\stubpath = "C:\\Windows\\{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe"	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99537D22-920D-4107-AEDA-28EE31F1DB84}\stubpath = "C:\\Windows\\{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe"	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B2C2F49-5371-4c55-A7C5-549AAC45C8A9}	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}\stubpath = "C:\\Windows\\{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe"	20b2db18fb06fba12487960d61359070N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BB419E2-731E-4356-BFD7-CC7262A51DFF}	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BB419E2-731E-4356-BFD7-CC7262A51DFF}\stubpath = "C:\\Windows\\{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe"	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}\stubpath = "C:\\Windows\\{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe"	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{447F81DB-30A2-4e87-9B84-9689D0BE11B7}	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83C486D-4699-4975-A5E8-3BCE9D614CAE}	{6B2C2F49-5371-4c55-A7C5-549AAC45C8A9}.exe

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2820	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe
2560	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe
2616	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe
2024	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe
1732	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe
2944	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe
444	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe
1972	{6B2C2F49-5371-4c55-A7C5-549AAC45C8A9}.exe
1052	{E83C486D-4699-4975-A5E8-3BCE9D614CAE}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe	20b2db18fb06fba12487960d61359070N.exe
File created	C:\Windows\{6B2C2F49-5371-4c55-A7C5-549AAC45C8A9}.exe	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe
File created	C:\Windows\{E83C486D-4699-4975-A5E8-3BCE9D614CAE}.exe	{6B2C2F49-5371-4c55-A7C5-549AAC45C8A9}.exe
File created	C:\Windows\{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe
File created	C:\Windows\{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe
File created	C:\Windows\{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe
File created	C:\Windows\{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe
File created	C:\Windows\{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe
File created	C:\Windows\{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20b2db18fb06fba12487960d61359070N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6B2C2F49-5371-4c55-A7C5-549AAC45C8A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E83C486D-4699-4975-A5E8-3BCE9D614CAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2632	20b2db18fb06fba12487960d61359070N.exe
Token: SeIncBasePriorityPrivilege	2820	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe
Token: SeIncBasePriorityPrivilege	2560	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe
Token: SeIncBasePriorityPrivilege	2616	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe
Token: SeIncBasePriorityPrivilege	2024	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe
Token: SeIncBasePriorityPrivilege	1732	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe
Token: SeIncBasePriorityPrivilege	2944	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe
Token: SeIncBasePriorityPrivilege	444	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe
Token: SeIncBasePriorityPrivilege	1972	{6B2C2F49-5371-4c55-A7C5-549AAC45C8A9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2820	2632	20b2db18fb06fba12487960d61359070N.exe	30
PID 2632 wrote to memory of 2820	2632	20b2db18fb06fba12487960d61359070N.exe	30
PID 2632 wrote to memory of 2820	2632	20b2db18fb06fba12487960d61359070N.exe	30
PID 2632 wrote to memory of 2820	2632	20b2db18fb06fba12487960d61359070N.exe	30
PID 2632 wrote to memory of 2664	2632	20b2db18fb06fba12487960d61359070N.exe	31
PID 2632 wrote to memory of 2664	2632	20b2db18fb06fba12487960d61359070N.exe	31
PID 2632 wrote to memory of 2664	2632	20b2db18fb06fba12487960d61359070N.exe	31
PID 2632 wrote to memory of 2664	2632	20b2db18fb06fba12487960d61359070N.exe	31
PID 2820 wrote to memory of 2560	2820	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe	32
PID 2820 wrote to memory of 2560	2820	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe	32
PID 2820 wrote to memory of 2560	2820	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe	32
PID 2820 wrote to memory of 2560	2820	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe	32
PID 2820 wrote to memory of 2708	2820	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe	33
PID 2820 wrote to memory of 2708	2820	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe	33
PID 2820 wrote to memory of 2708	2820	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe	33
PID 2820 wrote to memory of 2708	2820	{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe	33
PID 2560 wrote to memory of 2616	2560	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe	34
PID 2560 wrote to memory of 2616	2560	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe	34
PID 2560 wrote to memory of 2616	2560	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe	34
PID 2560 wrote to memory of 2616	2560	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe	34
PID 2560 wrote to memory of 2144	2560	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe	35
PID 2560 wrote to memory of 2144	2560	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe	35
PID 2560 wrote to memory of 2144	2560	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe	35
PID 2560 wrote to memory of 2144	2560	{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe	35
PID 2616 wrote to memory of 2024	2616	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe	36
PID 2616 wrote to memory of 2024	2616	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe	36
PID 2616 wrote to memory of 2024	2616	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe	36
PID 2616 wrote to memory of 2024	2616	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe	36
PID 2616 wrote to memory of 628	2616	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe	37
PID 2616 wrote to memory of 628	2616	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe	37
PID 2616 wrote to memory of 628	2616	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe	37
PID 2616 wrote to memory of 628	2616	{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe	37
PID 2024 wrote to memory of 1732	2024	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe	38
PID 2024 wrote to memory of 1732	2024	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe	38
PID 2024 wrote to memory of 1732	2024	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe	38
PID 2024 wrote to memory of 1732	2024	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe	38
PID 2024 wrote to memory of 2940	2024	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe	39
PID 2024 wrote to memory of 2940	2024	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe	39
PID 2024 wrote to memory of 2940	2024	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe	39
PID 2024 wrote to memory of 2940	2024	{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe	39
PID 1732 wrote to memory of 2944	1732	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe	40
PID 1732 wrote to memory of 2944	1732	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe	40
PID 1732 wrote to memory of 2944	1732	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe	40
PID 1732 wrote to memory of 2944	1732	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe	40
PID 1732 wrote to memory of 564	1732	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe	41
PID 1732 wrote to memory of 564	1732	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe	41
PID 1732 wrote to memory of 564	1732	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe	41
PID 1732 wrote to memory of 564	1732	{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe	41
PID 2944 wrote to memory of 444	2944	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe	42
PID 2944 wrote to memory of 444	2944	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe	42
PID 2944 wrote to memory of 444	2944	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe	42
PID 2944 wrote to memory of 444	2944	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe	42
PID 2944 wrote to memory of 1976	2944	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe	43
PID 2944 wrote to memory of 1976	2944	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe	43
PID 2944 wrote to memory of 1976	2944	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe	43
PID 2944 wrote to memory of 1976	2944	{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe	43
PID 444 wrote to memory of 1972	444	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe	44
PID 444 wrote to memory of 1972	444	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe	44
PID 444 wrote to memory of 1972	444	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe	44
PID 444 wrote to memory of 1972	444	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe	44
PID 444 wrote to memory of 1588	444	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe	45
PID 444 wrote to memory of 1588	444	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe	45
PID 444 wrote to memory of 1588	444	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe	45
PID 444 wrote to memory of 1588	444	{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe	45

C:\Users\Admin\AppData\Local\Temp\20b2db18fb06fba12487960d61359070N.exe
"C:\Users\Admin\AppData\Local\Temp\20b2db18fb06fba12487960d61359070N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe
  C:\Windows\{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe
    C:\Windows\{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe
      C:\Windows\{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe
        
        C:\Windows\{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Windows\{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe
        
        C:\Windows\{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe
        
        C:\Windows\{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe
        
        C:\Windows\{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\{6B2C2F49-5371-4c55-A7C5-549AAC45C8A9}.exe
        
        C:\Windows\{6B2C2F49-5371-4c55-A7C5-549AAC45C8A9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\{E83C486D-4699-4975-A5E8-3BCE9D614CAE}.exe
        
        C:\Windows\{E83C486D-4699-4975-A5E8-3BCE9D614CAE}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B2C2~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03119~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99537~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B622~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4E5B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{447F8~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3BB41~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CDB09~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\20B2DB~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03119BBC-5E48-4341-B0C6-CBAE0B1DD83E}.exe

Filesize
91KB

MD5
a0f77907b5c76a3eb5a428ce4b2218db

SHA1
e384937c631ac24e875a597176e7c8257e9478c0

SHA256
78520d2894a093e821ae71a7ba71ce0529dad074ff5ed295438a42c9678f28ca

SHA512
700f0201fcf4fa3f591b7174d207071bbbca72f167d37f163d1caaad1a0f8d4cc2f484481d17570a9c7893023beee650ab3ee70d5596dfa6750cdeddceea4b39

Download Submit
C:\Windows\{3B62289B-2A3E-4ec1-9E49-6A306026E3C0}.exe

Filesize
91KB

MD5
d74503152f5dc1f8a90d32edc7295049

SHA1
bc7a7b549ad99a07bb3d5a415fedb36654c30170

SHA256
ffb00d9661387aff34d3cc7c830be76c6f345af07e3e4a6b27fe1153ffbd1c46

SHA512
94e47999c0d10cc6ed9bb2b0f34af1d76c3e49e1725c56833170764a03a1cfa6f5237804c901167d0c62b269f2a65ad7a30dd638d6ca48702b6aa13e7e0e6178

Download Submit
C:\Windows\{3BB419E2-731E-4356-BFD7-CC7262A51DFF}.exe

Filesize
91KB

MD5
096672f23726d899f272277a4271d25c

SHA1
481963f25fcbc4f07c1c0dab4d66e2acecacaabd

SHA256
aca259e286ebec7f1a925401f7f3ed77e41a4a5268f7c0e3e18850d6d67cdcaf

SHA512
da6fe83222fb48c501195ac19a8a379a5f65e1c706a49bda183e36f04eaca2790e20ad2a3bcc82613195283704df317353bab58511b308ce0dda1269ae0986ca

Download Submit
C:\Windows\{447F81DB-30A2-4e87-9B84-9689D0BE11B7}.exe

Filesize
91KB

MD5
89e6c5ac69096921dff5fc7eb10479e2

SHA1
a80bc98565a01fec856c4865f3669b05147a3b0b

SHA256
d36b4a73120c22bd09310856296afbe233686ee0c58f38c39bd91ac47edd0f8b

SHA512
e90bcb0eea7cec4b38dac92c660e180d3b4eaa2f193f816b3710714c71610086ff20c4d7c3a18cd22e3c690eb955dbabf780bd4221f21c9cb8ac7a2b94e08748

Download Submit
C:\Windows\{6B2C2F49-5371-4c55-A7C5-549AAC45C8A9}.exe

Filesize
91KB

MD5
a1faf6e39e515cb2e615e798f6b6edb6

SHA1
440b82e6257402f8303220eef9bb09fd4a7af812

SHA256
96e7ace689065edfcc215ff23ea7a759aeda8aa80bbfda1a9b21a9c7052cd95a

SHA512
2d09bd2c107d59d8b63164e81d1c111aed37dfa35a2d2b4c59b97ac03b0907e76f595abeff2f8ca46eba56370c28325bdcdfb3d129fb2c8cc95af637e6f0cbf6

Download Submit
C:\Windows\{99537D22-920D-4107-AEDA-28EE31F1DB84}.exe

Filesize
91KB

MD5
9f1e7207e0d6badae14bf3ed0bf85ee6

SHA1
4b18c4f85a49556d1e6a65f93a8bed0f0668b6cb

SHA256
c836a489c9fcdec90b0d6067c9085ad818801f2451cd4949674e7e09591d6afe

SHA512
4891a7a9b0e23960d5131e80e99cce21f09775f92f7e55e08e311032bf8ac141addddcc4d6fe92bbb145ce0cf201570b8a0c35f2dd3e4179fdadd7b99df9318b

Download Submit
C:\Windows\{C4E5BEDA-BE68-4ed6-BC45-468E89F5E86B}.exe

Filesize
91KB

MD5
9740bbf322ee5da5b9af80845f9d00d7

SHA1
020570fdb1fa9bb771bef62f25fbd676dc8bccbf

SHA256
f106190f40751ca0b4e972b48b88b3794a9488026b64097510110e9f3cf80216

SHA512
423f5abc7ae2fc6c753184e9745c8e4d1c9b9d144a746184d033e78ab836381427adf4101e13b2fc1b537803c1d1a9e5984b42a4b585b12c2f165dd3de598383

Download Submit
C:\Windows\{CDB09145-E266-48c2-B6AF-0C64DB0DA2D6}.exe

Filesize
91KB

MD5
4dec7c544f094fed07308e95f1002b27

SHA1
6e1aff243a1d298c86b160cda1a5bfeca21aac3f

SHA256
09bc59bd932bbbd10c0eee65363498a3d23da11237e8196437a8dd8fc7c8186b

SHA512
ba462dfdb68443713194a7aa5f9cd985430ab4dcbc4c60a5f10fb111a9ba5c47b9587a5cc4aadb9969231aa0230891e4675218627d43ee9ae78393927f6a8dae

Download Submit
C:\Windows\{E83C486D-4699-4975-A5E8-3BCE9D614CAE}.exe

Filesize
91KB

MD5
78e488fbd9df94aef56892771105f2a9

SHA1
da42036c727b5069fa32e4a5dbf2975a97964c7e

SHA256
c8245636898a56eaed01b707d2c784f6c4c35e126b99eadcf79447c8c8a021b0

SHA512
b52ca7eab879af051c3a45bbb4dc2721569c3c89bc1c2401d280dc9420046ae2da15a35e8b052387a3da344ce4059b50e400d5b7ea792c94c558269cb9cfef32

Download Submit
memory/444-74-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/444-69-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/1732-52-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/1732-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1972-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1972-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1972-80-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2024-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2024-43-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2560-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2560-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2560-23-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/2560-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-33-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2616-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2632-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2632-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2632-3-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2632-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2820-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2820-13-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2944-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2944-60-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads