0733c4233e1ed3dfde64cf494527ac1f14c174b4b32b39db6830b7e7a852822a

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a449f5f43674efd0bd0185ff357ac4e0N.exe
Size

79KB
MD5

a449f5f43674efd0bd0185ff357ac4e0
SHA1

c9b45135c8fbc011719ab4a632d18938b4247927
SHA256

0733c4233e1ed3dfde64cf494527ac1f14c174b4b32b39db6830b7e7a852822a
SHA512

6686b35d3ab7e4bc369be25e636c6354717136a13062b77f301f8496405740f6f335f14afe6be1f8511290f82c80d963c51159e516c9334e80273ac766f1eee7
SSDEEP

768:4vw9816vhKQLroO4/wQpWMZ3XOQ69zbjlAAX5e9zz:wEGh0oOloWMZ3izbR9Xwzz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F09B042-5A19-4264-9F3C-B7B4FB0A5BB2}\stubpath = "C:\\Windows\\{8F09B042-5A19-4264-9F3C-B7B4FB0A5BB2}.exe"	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4DDE07A-452C-455e-8472-D3872E2E4582}	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4DDE07A-452C-455e-8472-D3872E2E4582}\stubpath = "C:\\Windows\\{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe"	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{164108BA-C948-4080-B4A4-ADAFD90DD462}\stubpath = "C:\\Windows\\{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe"	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}\stubpath = "C:\\Windows\\{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe"	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F09B042-5A19-4264-9F3C-B7B4FB0A5BB2}	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA75AC9F-F789-47cc-888F-88268C30CC21}	{8F09B042-5A19-4264-9F3C-B7B4FB0A5BB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}	a449f5f43674efd0bd0185ff357ac4e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}\stubpath = "C:\\Windows\\{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe"	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48283EE2-2FCC-4af3-9735-54F0B7722BE9}\stubpath = "C:\\Windows\\{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe"	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA75AC9F-F789-47cc-888F-88268C30CC21}\stubpath = "C:\\Windows\\{CA75AC9F-F789-47cc-888F-88268C30CC21}.exe"	{8F09B042-5A19-4264-9F3C-B7B4FB0A5BB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}\stubpath = "C:\\Windows\\{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe"	a449f5f43674efd0bd0185ff357ac4e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C689E14-229D-4fcc-80DE-42F77E005BD1}	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48283EE2-2FCC-4af3-9735-54F0B7722BE9}	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{164108BA-C948-4080-B4A4-ADAFD90DD462}	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C689E14-229D-4fcc-80DE-42F77E005BD1}\stubpath = "C:\\Windows\\{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe"	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2168	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe
2904	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe
2748	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe
3056	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe
328	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe
1084	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe
1880	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe
1476	{8F09B042-5A19-4264-9F3C-B7B4FB0A5BB2}.exe
432	{CA75AC9F-F789-47cc-888F-88268C30CC21}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe
File created	C:\Windows\{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe
File created	C:\Windows\{8F09B042-5A19-4264-9F3C-B7B4FB0A5BB2}.exe	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe
File created	C:\Windows\{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe
File created	C:\Windows\{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe
File created	C:\Windows\{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe
File created	C:\Windows\{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe
File created	C:\Windows\{CA75AC9F-F789-47cc-888F-88268C30CC21}.exe	{8F09B042-5A19-4264-9F3C-B7B4FB0A5BB2}.exe
File created	C:\Windows\{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe	a449f5f43674efd0bd0185ff357ac4e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA75AC9F-F789-47cc-888F-88268C30CC21}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a449f5f43674efd0bd0185ff357ac4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F09B042-5A19-4264-9F3C-B7B4FB0A5BB2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2960	a449f5f43674efd0bd0185ff357ac4e0N.exe
Token: SeIncBasePriorityPrivilege	2168	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe
Token: SeIncBasePriorityPrivilege	2904	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe
Token: SeIncBasePriorityPrivilege	2748	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe
Token: SeIncBasePriorityPrivilege	3056	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe
Token: SeIncBasePriorityPrivilege	328	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe
Token: SeIncBasePriorityPrivilege	1084	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe
Token: SeIncBasePriorityPrivilege	1880	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe
Token: SeIncBasePriorityPrivilege	1476	{8F09B042-5A19-4264-9F3C-B7B4FB0A5BB2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2168	2960	a449f5f43674efd0bd0185ff357ac4e0N.exe	30
PID 2960 wrote to memory of 2168	2960	a449f5f43674efd0bd0185ff357ac4e0N.exe	30
PID 2960 wrote to memory of 2168	2960	a449f5f43674efd0bd0185ff357ac4e0N.exe	30
PID 2960 wrote to memory of 2168	2960	a449f5f43674efd0bd0185ff357ac4e0N.exe	30
PID 2960 wrote to memory of 2784	2960	a449f5f43674efd0bd0185ff357ac4e0N.exe	31
PID 2960 wrote to memory of 2784	2960	a449f5f43674efd0bd0185ff357ac4e0N.exe	31
PID 2960 wrote to memory of 2784	2960	a449f5f43674efd0bd0185ff357ac4e0N.exe	31
PID 2960 wrote to memory of 2784	2960	a449f5f43674efd0bd0185ff357ac4e0N.exe	31
PID 2168 wrote to memory of 2904	2168	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe	32
PID 2168 wrote to memory of 2904	2168	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe	32
PID 2168 wrote to memory of 2904	2168	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe	32
PID 2168 wrote to memory of 2904	2168	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe	32
PID 2168 wrote to memory of 2856	2168	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe	33
PID 2168 wrote to memory of 2856	2168	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe	33
PID 2168 wrote to memory of 2856	2168	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe	33
PID 2168 wrote to memory of 2856	2168	{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe	33
PID 2904 wrote to memory of 2748	2904	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe	34
PID 2904 wrote to memory of 2748	2904	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe	34
PID 2904 wrote to memory of 2748	2904	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe	34
PID 2904 wrote to memory of 2748	2904	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe	34
PID 2904 wrote to memory of 2636	2904	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe	35
PID 2904 wrote to memory of 2636	2904	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe	35
PID 2904 wrote to memory of 2636	2904	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe	35
PID 2904 wrote to memory of 2636	2904	{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe	35
PID 2748 wrote to memory of 3056	2748	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe	36
PID 2748 wrote to memory of 3056	2748	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe	36
PID 2748 wrote to memory of 3056	2748	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe	36
PID 2748 wrote to memory of 3056	2748	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe	36
PID 2748 wrote to memory of 3060	2748	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe	37
PID 2748 wrote to memory of 3060	2748	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe	37
PID 2748 wrote to memory of 3060	2748	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe	37
PID 2748 wrote to memory of 3060	2748	{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe	37
PID 3056 wrote to memory of 328	3056	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe	38
PID 3056 wrote to memory of 328	3056	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe	38
PID 3056 wrote to memory of 328	3056	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe	38
PID 3056 wrote to memory of 328	3056	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe	38
PID 3056 wrote to memory of 2488	3056	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe	39
PID 3056 wrote to memory of 2488	3056	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe	39
PID 3056 wrote to memory of 2488	3056	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe	39
PID 3056 wrote to memory of 2488	3056	{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe	39
PID 328 wrote to memory of 1084	328	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe	40
PID 328 wrote to memory of 1084	328	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe	40
PID 328 wrote to memory of 1084	328	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe	40
PID 328 wrote to memory of 1084	328	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe	40
PID 328 wrote to memory of 3028	328	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe	41
PID 328 wrote to memory of 3028	328	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe	41
PID 328 wrote to memory of 3028	328	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe	41
PID 328 wrote to memory of 3028	328	{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe	41
PID 1084 wrote to memory of 1880	1084	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe	42
PID 1084 wrote to memory of 1880	1084	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe	42
PID 1084 wrote to memory of 1880	1084	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe	42
PID 1084 wrote to memory of 1880	1084	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe	42
PID 1084 wrote to memory of 1656	1084	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe	43
PID 1084 wrote to memory of 1656	1084	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe	43
PID 1084 wrote to memory of 1656	1084	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe	43
PID 1084 wrote to memory of 1656	1084	{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe	43
PID 1880 wrote to memory of 1476	1880	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe	44
PID 1880 wrote to memory of 1476	1880	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe	44
PID 1880 wrote to memory of 1476	1880	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe	44
PID 1880 wrote to memory of 1476	1880	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe	44
PID 1880 wrote to memory of 928	1880	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe	45
PID 1880 wrote to memory of 928	1880	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe	45
PID 1880 wrote to memory of 928	1880	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe	45
PID 1880 wrote to memory of 928	1880	{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe	45

C:\Users\Admin\AppData\Local\Temp\a449f5f43674efd0bd0185ff357ac4e0N.exe
"C:\Users\Admin\AppData\Local\Temp\a449f5f43674efd0bd0185ff357ac4e0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe
  C:\Windows\{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe
    C:\Windows\{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe
      C:\Windows\{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe
        
        C:\Windows\{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe
        
        C:\Windows\{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe
        
        C:\Windows\{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe
        
        C:\Windows\{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{8F09B042-5A19-4264-9F3C-B7B4FB0A5BB2}.exe
        
        C:\Windows\{8F09B042-5A19-4264-9F3C-B7B4FB0A5BB2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\{CA75AC9F-F789-47cc-888F-88268C30CC21}.exe
        
        C:\Windows\{CA75AC9F-F789-47cc-888F-88268C30CC21}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F09B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D2BC~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48283~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C689~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16410~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29C53~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A4DDE~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{85CA3~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A449F5~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{164108BA-C948-4080-B4A4-ADAFD90DD462}.exe

Filesize
79KB

MD5
7c8b8b7951eb0b33a1559226f486d04c

SHA1
d60d00761c3afc848a2525804fbf4798aa05ae5a

SHA256
d48d5e4b8a1af853c37e296f7cb5264feef6c62a26442cbe3cadf8880d056d7d

SHA512
e64bb27308c44d65d5d574a41627db5b94b3a1bfeb1274b2795e39a827a1afbff4934153d020d80eaba4900895b5d421f68e08327fd4da4416f8ef7e24660fa2

Download Submit
C:\Windows\{1C689E14-229D-4fcc-80DE-42F77E005BD1}.exe

Filesize
79KB

MD5
4f330f3cbc9b254a7e8e116b90675a57

SHA1
d7d94b98a577539ae1183064fae7c747a83cb26b

SHA256
7ce72bc97f0a13aca3b051fcba60765c524cd5d2098eb8cd2a5e10940432c512

SHA512
687158c81c364e1828761b4ab1f01659e46866afab06e3012ec59182e05af9f76322edfbb8a427019754cbf267003e950a2e500137d06b127c6485dbb6d89c19

Download Submit
C:\Windows\{29C5355C-3DC2-4749-8E89-7A6EDCC301A0}.exe

Filesize
79KB

MD5
04e9d6ef274d6fd37363e0ddc5713d4b

SHA1
bcb22ab78236bee372a42755d9e088ccec7a4c71

SHA256
62464003b1df06681b3ef383fae24b4b574b6e389a41e1fe0066ea0d8693b47e

SHA512
67971a05060fa7c61f89f9ad78f47bb5070dcbffc6c94817d4ddcc5015eb1f35e60fa9b91f3a14822886cadb9c40fb2835a2b91f6cc9d1f14e676ec4086168a3

Download Submit
C:\Windows\{48283EE2-2FCC-4af3-9735-54F0B7722BE9}.exe

Filesize
79KB

MD5
31527f8c383c6d16f4649da4a298762f

SHA1
7cdbad65bde90cad156c07f61f6e3e851740ea37

SHA256
f7e13cd70cdc5943284241ff8f5be59392fd7306b01e6aa40a8d709e847b08ad

SHA512
cd7349d5504a6aa4d27007f12235163f5dcba55799c2493bdca9aee2c9f4021909f23dd8fa03d3e0a29d4e279c9742ee5945bc50ddcfeac9502f0b0a49609ea3

Download Submit
C:\Windows\{5D2BC8D2-3776-4025-9A1E-AF9CA508A4B8}.exe

Filesize
79KB

MD5
be68f729c9b5aa254a163e4825963fce

SHA1
330aa04b59ef5934afa0444ec30fd4e253eca938

SHA256
96d85ce64b5b00bf2bdaf134a1e92704a46577e7710b36421b727cec5ccb1f64

SHA512
c84a52bee417e43e2eb2c98ac9791990d30360133ab5d0a191c10c7c5e5b14177fb63893702fbb228ef0e2ef0c2860357b772661ede2aec6cd1718dfeda81f8e

Download Submit
C:\Windows\{85CA33A9-80AE-4f41-BCC3-FAB25002AA1B}.exe

Filesize
79KB

MD5
bfb36dcb10c54eba6a2952e5982a8e36

SHA1
70dee12eaa8cad1064030b9af1ed2cb6ece1dfe8

SHA256
c007a5a823f32b957516fb1289ec6df5ca3058b9b6ee99c42ac8f1e29c87565e

SHA512
a5175705e812f97e86d043e45c056a9060cab4ae1a2ff5c22da856a7c0c11ab71d06b7e3428fb8c867823684db7d04237d2e17a4fb00a0f1dd2ed56daaddea45

Download Submit
C:\Windows\{8F09B042-5A19-4264-9F3C-B7B4FB0A5BB2}.exe

Filesize
79KB

MD5
a8e143120c8b4522189f7d3149044b82

SHA1
0e7bd47ee72984da28d574c64dd96f9aa4188225

SHA256
df8e0f474f1e07a1098a6bda0500b0bf2511f8295b7953b77a7878142858987b

SHA512
9ecfd494442e357863b9a755bd2bbe1653858047bac23caf3f9f63b5237e32e1cb285b00f420d15e155dd99d9755332b96c9dd4630405336f945fcffa21ca163

Download Submit
C:\Windows\{A4DDE07A-452C-455e-8472-D3872E2E4582}.exe

Filesize
79KB

MD5
2c0d4e58ae61f507df0393944cb774a4

SHA1
0df9378308ee287bb8211f38476d38190585590a

SHA256
36d703cafbeada9ce81c26b3ecda8487f3295a93191761d2df329832d7f93e50

SHA512
128752120c167cb9ef75894e7718304c54f870e28aedc7ddc698142d4c22fb96b4496a4e81ed6ec78c86ab4e43bcead967f7b464aa6f99f35126f32f69a61bec

Download Submit
C:\Windows\{CA75AC9F-F789-47cc-888F-88268C30CC21}.exe

Filesize
79KB

MD5
dbd88fc3f1f7a372d899c2a18bc572d1

SHA1
671f67148a2baed063014655145fcc5538bad007

SHA256
41ba06af84a50d65198ee9c8552f5cac20e52c376db611cf40a6ce0884ab8ad1

SHA512
e3c93b31b19b5d5efdd5d4f694dc592400fe97a0fd69f9805ec5c7d2a17c0b679998b9a4b103c739f795d37fcdf325a3824892299938eb72210a6b307a3a9fdf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads