d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe
Size

98KB
MD5

6166f7ea7af82fd671310bd3e50567d6
SHA1

3ef0851c5f4a0304676500a515799e62b6a3159f
SHA256

d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa
SHA512

edbda4d538d4dcdb3c8bce8e19820893b4c191508062e64044ff5befb729a74ddecefb788f7e8a37cd958aa674e783fc75280ee666bd97199754857ee2a919d8
SSDEEP

768:5vw9816thKQLroA4/wQkNrfrunMxVFA3b7glws:lEG/0oAlbunMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1C005E1-E350-45f1-A369-98287F626DB9}\stubpath = "C:\\Windows\\{C1C005E1-E350-45f1-A369-98287F626DB9}.exe"	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE62B23E-AC93-4698-A2D7-B2C57548F138}	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB884378-528A-4855-91BC-7F8B5D017661}	{3C7ACFBC-986F-47b8-BE1F-FD8E83304C04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}	d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}\stubpath = "C:\\Windows\\{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe"	d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{601AB95B-F41A-4ede-A24B-DC3091ED776C}	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFB97F84-7678-4768-8374-D6ADE4E087D2}\stubpath = "C:\\Windows\\{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe"	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A453BA0-64D4-441c-9872-C0552830E9A3}\stubpath = "C:\\Windows\\{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe"	{3E1352FC-1862-437c-B12E-50B286619F83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E29A64E-421D-4cf7-B23E-0ACE71A1030F}\stubpath = "C:\\Windows\\{2E29A64E-421D-4cf7-B23E-0ACE71A1030F}.exe"	{EB884378-528A-4855-91BC-7F8B5D017661}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91596ADD-CD6F-4bba-8EEE-0952E222A28D}\stubpath = "C:\\Windows\\{91596ADD-CD6F-4bba-8EEE-0952E222A28D}.exe"	{2E29A64E-421D-4cf7-B23E-0ACE71A1030F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E1352FC-1862-437c-B12E-50B286619F83}\stubpath = "C:\\Windows\\{3E1352FC-1862-437c-B12E-50B286619F83}.exe"	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1C005E1-E350-45f1-A369-98287F626DB9}	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE62B23E-AC93-4698-A2D7-B2C57548F138}\stubpath = "C:\\Windows\\{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe"	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C7ACFBC-986F-47b8-BE1F-FD8E83304C04}\stubpath = "C:\\Windows\\{3C7ACFBC-986F-47b8-BE1F-FD8E83304C04}.exe"	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{601AB95B-F41A-4ede-A24B-DC3091ED776C}\stubpath = "C:\\Windows\\{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe"	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A453BA0-64D4-441c-9872-C0552830E9A3}	{3E1352FC-1862-437c-B12E-50B286619F83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C7ACFBC-986F-47b8-BE1F-FD8E83304C04}	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E29A64E-421D-4cf7-B23E-0ACE71A1030F}	{EB884378-528A-4855-91BC-7F8B5D017661}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFB97F84-7678-4768-8374-D6ADE4E087D2}	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E1352FC-1862-437c-B12E-50B286619F83}	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB884378-528A-4855-91BC-7F8B5D017661}\stubpath = "C:\\Windows\\{EB884378-528A-4855-91BC-7F8B5D017661}.exe"	{3C7ACFBC-986F-47b8-BE1F-FD8E83304C04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91596ADD-CD6F-4bba-8EEE-0952E222A28D}	{2E29A64E-421D-4cf7-B23E-0ACE71A1030F}.exe

Deletes itself 1 IoCs

pid	Process
2324	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2952	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe
2648	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe
2396	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe
1540	{3E1352FC-1862-437c-B12E-50B286619F83}.exe
1932	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe
1636	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe
356	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe
2816	{3C7ACFBC-986F-47b8-BE1F-FD8E83304C04}.exe
1212	{EB884378-528A-4855-91BC-7F8B5D017661}.exe
1896	{2E29A64E-421D-4cf7-B23E-0ACE71A1030F}.exe
2008	{91596ADD-CD6F-4bba-8EEE-0952E222A28D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe	d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe
File created	C:\Windows\{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe
File created	C:\Windows\{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe
File created	C:\Windows\{3C7ACFBC-986F-47b8-BE1F-FD8E83304C04}.exe	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe
File created	C:\Windows\{EB884378-528A-4855-91BC-7F8B5D017661}.exe	{3C7ACFBC-986F-47b8-BE1F-FD8E83304C04}.exe
File created	C:\Windows\{2E29A64E-421D-4cf7-B23E-0ACE71A1030F}.exe	{EB884378-528A-4855-91BC-7F8B5D017661}.exe
File created	C:\Windows\{91596ADD-CD6F-4bba-8EEE-0952E222A28D}.exe	{2E29A64E-421D-4cf7-B23E-0ACE71A1030F}.exe
File created	C:\Windows\{3E1352FC-1862-437c-B12E-50B286619F83}.exe	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe
File created	C:\Windows\{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe	{3E1352FC-1862-437c-B12E-50B286619F83}.exe
File created	C:\Windows\{C1C005E1-E350-45f1-A369-98287F626DB9}.exe	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe
File created	C:\Windows\{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB884378-528A-4855-91BC-7F8B5D017661}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91596ADD-CD6F-4bba-8EEE-0952E222A28D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C7ACFBC-986F-47b8-BE1F-FD8E83304C04}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2E29A64E-421D-4cf7-B23E-0ACE71A1030F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E1352FC-1862-437c-B12E-50B286619F83}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1316	d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe
Token: SeIncBasePriorityPrivilege	2952	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe
Token: SeIncBasePriorityPrivilege	2648	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe
Token: SeIncBasePriorityPrivilege	2396	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe
Token: SeIncBasePriorityPrivilege	1540	{3E1352FC-1862-437c-B12E-50B286619F83}.exe
Token: SeIncBasePriorityPrivilege	1932	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe
Token: SeIncBasePriorityPrivilege	1636	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe
Token: SeIncBasePriorityPrivilege	356	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe
Token: SeIncBasePriorityPrivilege	2816	{3C7ACFBC-986F-47b8-BE1F-FD8E83304C04}.exe
Token: SeIncBasePriorityPrivilege	1212	{EB884378-528A-4855-91BC-7F8B5D017661}.exe
Token: SeIncBasePriorityPrivilege	1896	{2E29A64E-421D-4cf7-B23E-0ACE71A1030F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2952	1316	d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe	31
PID 1316 wrote to memory of 2952	1316	d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe	31
PID 1316 wrote to memory of 2952	1316	d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe	31
PID 1316 wrote to memory of 2952	1316	d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe	31
PID 1316 wrote to memory of 2324	1316	d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe	32
PID 1316 wrote to memory of 2324	1316	d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe	32
PID 1316 wrote to memory of 2324	1316	d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe	32
PID 1316 wrote to memory of 2324	1316	d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe	32
PID 2952 wrote to memory of 2648	2952	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe	33
PID 2952 wrote to memory of 2648	2952	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe	33
PID 2952 wrote to memory of 2648	2952	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe	33
PID 2952 wrote to memory of 2648	2952	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe	33
PID 2952 wrote to memory of 2784	2952	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe	34
PID 2952 wrote to memory of 2784	2952	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe	34
PID 2952 wrote to memory of 2784	2952	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe	34
PID 2952 wrote to memory of 2784	2952	{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe	34
PID 2648 wrote to memory of 2396	2648	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe	35
PID 2648 wrote to memory of 2396	2648	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe	35
PID 2648 wrote to memory of 2396	2648	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe	35
PID 2648 wrote to memory of 2396	2648	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe	35
PID 2648 wrote to memory of 2404	2648	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe	36
PID 2648 wrote to memory of 2404	2648	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe	36
PID 2648 wrote to memory of 2404	2648	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe	36
PID 2648 wrote to memory of 2404	2648	{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe	36
PID 2396 wrote to memory of 1540	2396	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe	37
PID 2396 wrote to memory of 1540	2396	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe	37
PID 2396 wrote to memory of 1540	2396	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe	37
PID 2396 wrote to memory of 1540	2396	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe	37
PID 2396 wrote to memory of 2560	2396	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe	38
PID 2396 wrote to memory of 2560	2396	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe	38
PID 2396 wrote to memory of 2560	2396	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe	38
PID 2396 wrote to memory of 2560	2396	{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe	38
PID 1540 wrote to memory of 1932	1540	{3E1352FC-1862-437c-B12E-50B286619F83}.exe	39
PID 1540 wrote to memory of 1932	1540	{3E1352FC-1862-437c-B12E-50B286619F83}.exe	39
PID 1540 wrote to memory of 1932	1540	{3E1352FC-1862-437c-B12E-50B286619F83}.exe	39
PID 1540 wrote to memory of 1932	1540	{3E1352FC-1862-437c-B12E-50B286619F83}.exe	39
PID 1540 wrote to memory of 788	1540	{3E1352FC-1862-437c-B12E-50B286619F83}.exe	40
PID 1540 wrote to memory of 788	1540	{3E1352FC-1862-437c-B12E-50B286619F83}.exe	40
PID 1540 wrote to memory of 788	1540	{3E1352FC-1862-437c-B12E-50B286619F83}.exe	40
PID 1540 wrote to memory of 788	1540	{3E1352FC-1862-437c-B12E-50B286619F83}.exe	40
PID 1932 wrote to memory of 1636	1932	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe	41
PID 1932 wrote to memory of 1636	1932	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe	41
PID 1932 wrote to memory of 1636	1932	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe	41
PID 1932 wrote to memory of 1636	1932	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe	41
PID 1932 wrote to memory of 1736	1932	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe	42
PID 1932 wrote to memory of 1736	1932	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe	42
PID 1932 wrote to memory of 1736	1932	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe	42
PID 1932 wrote to memory of 1736	1932	{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe	42
PID 1636 wrote to memory of 356	1636	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe	43
PID 1636 wrote to memory of 356	1636	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe	43
PID 1636 wrote to memory of 356	1636	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe	43
PID 1636 wrote to memory of 356	1636	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe	43
PID 1636 wrote to memory of 1036	1636	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe	44
PID 1636 wrote to memory of 1036	1636	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe	44
PID 1636 wrote to memory of 1036	1636	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe	44
PID 1636 wrote to memory of 1036	1636	{C1C005E1-E350-45f1-A369-98287F626DB9}.exe	44
PID 356 wrote to memory of 2816	356	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe	45
PID 356 wrote to memory of 2816	356	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe	45
PID 356 wrote to memory of 2816	356	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe	45
PID 356 wrote to memory of 2816	356	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe	45
PID 356 wrote to memory of 2808	356	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe	46
PID 356 wrote to memory of 2808	356	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe	46
PID 356 wrote to memory of 2808	356	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe	46
PID 356 wrote to memory of 2808	356	{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe	46

C:\Users\Admin\AppData\Local\Temp\d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe
"C:\Users\Admin\AppData\Local\Temp\d25caebcef796e3d931cb240a6c234799d6a1849cb29c5952c9498697c6f55fa.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe
  C:\Windows\{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe
    C:\Windows\{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe
      C:\Windows\{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\{3E1352FC-1862-437c-B12E-50B286619F83}.exe
        
        C:\Windows\{3E1352FC-1862-437c-B12E-50B286619F83}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe
        
        C:\Windows\{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\{C1C005E1-E350-45f1-A369-98287F626DB9}.exe
        
        C:\Windows\{C1C005E1-E350-45f1-A369-98287F626DB9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe
        
        C:\Windows\{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:356
        
        C:\Windows\{3C7ACFBC-986F-47b8-BE1F-FD8E83304C04}.exe
        
        C:\Windows\{3C7ACFBC-986F-47b8-BE1F-FD8E83304C04}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\{EB884378-528A-4855-91BC-7F8B5D017661}.exe
        
        C:\Windows\{EB884378-528A-4855-91BC-7F8B5D017661}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\{2E29A64E-421D-4cf7-B23E-0ACE71A1030F}.exe
        
        C:\Windows\{2E29A64E-421D-4cf7-B23E-0ACE71A1030F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\{91596ADD-CD6F-4bba-8EEE-0952E222A28D}.exe
        
        C:\Windows\{91596ADD-CD6F-4bba-8EEE-0952E222A28D}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E29A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB884~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C7AC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE62B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1C00~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A453~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E135~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFB97~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{601AB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{547E0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D25CAE~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2E29A64E-421D-4cf7-B23E-0ACE71A1030F}.exe

Filesize
98KB

MD5
784b4f199212ec831fea5766164a61bd

SHA1
e8b7ab55244888a6000445b3eee1d96191ca9a78

SHA256
e1b66c121fc75e0f67de6fe92be3953c3442983c4a398dfd1ca7ee72b68065b5

SHA512
7c4ce3c5a2a6d970cf6fdef069c4901b6a81f5f23ade60e3b72f6c42064f0051a46a275dff0ef956909765e57e20913a1ac4b400bf425f52597751694da9931a

Download Submit
C:\Windows\{3C7ACFBC-986F-47b8-BE1F-FD8E83304C04}.exe

Filesize
98KB

MD5
75a537029a536db4c2ad16f5579b402e

SHA1
93452a87f3fd4e90a4f5e933d8926af469a293c3

SHA256
3df8d51fbaa9f838e9880cc35e388015923190f924290fd561c46896f2fee2c5

SHA512
654cf275009ea47e54c4224e18104c4080497d5ff3d236f3deff99732d1715f8e5e492902727010d9c11862060464e6e7bca1cf901fda4c1f26dd1cc8bf5eb87

Download Submit
C:\Windows\{3E1352FC-1862-437c-B12E-50B286619F83}.exe

Filesize
98KB

MD5
15b2ae00b3e3601f48af187c89e3c843

SHA1
72686a5259be727d74fd72935d6d5840bbfcf9ca

SHA256
0808f895fd22f157c7801ecbdc05b913922791015b95f9b218e64abaafab1d53

SHA512
7324e0f986cef4daf1ac804a5fae1d7f131746365ce2004051b319ba62abca29324c34e42b7a070ae7ad4749c315746a5e41a093997fe0ced4d6120d131e41a9

Download Submit
C:\Windows\{547E0DBB-0680-4064-BDF3-FC888B5E8D4A}.exe

Filesize
98KB

MD5
5af629d5572bd888a56428f00b421cf7

SHA1
84d8964c89571b65ca84b2817ced5cf202190ea8

SHA256
00cc219c41f44d29050e905ae31a55a7192bad599b83362a27f41c452854dcdb

SHA512
85b31745f31a5f8208a74138c909e8a85057942ec70d1e3e69744525972c4615580094d55e48055d181125a0ede3a3ad2ed39353896b01436d9cee66ac69dc2f

Download Submit
C:\Windows\{601AB95B-F41A-4ede-A24B-DC3091ED776C}.exe

Filesize
98KB

MD5
80783a1dcdc911d2052227fcf107b879

SHA1
2445b398a54c98f9a316fa865122bc78fff50207

SHA256
160300257f3a6bdcfc82bea3fdb604b78d079ead35d073fc31a68bfe1951458e

SHA512
db3572fbbc9a852eeb087fe27fe953ac3df218c85b5d04a6c73d8206311f8f51a50b07ffa605b2aa9d64772ff05f8ee8eb2655904889b59573b8bc630b1539d3

Download Submit
C:\Windows\{7A453BA0-64D4-441c-9872-C0552830E9A3}.exe

Filesize
98KB

MD5
4dab14ef5c9caa267b7545d29370e85a

SHA1
e8e2b3e7ca53cf7d1776e06300f213c751974391

SHA256
7605c5daac8bdc69cc368868d1fb9fabf3b75dc721ac7796e9a65618d0c333f2

SHA512
d951b32a9a4bbc8d297b75cd4bd9c50cf7e8a83821faed2e69f37bd627f2ffe00d9e5cd92ee30c00d4231c1bc385fecd66c52d9b04bee3286c8e58d76678ee42

Download Submit
C:\Windows\{91596ADD-CD6F-4bba-8EEE-0952E222A28D}.exe

Filesize
98KB

MD5
c6c34819afeb0a24e40289b3a4a5e904

SHA1
a99c0f9111660cbc6ea4602d0b99caf7b205d07a

SHA256
a98e9e78d149f999a123cac0b11f02aed7cce7d6d6c39a129c2681b7bd32593f

SHA512
46a56942d1d783a095a4a1ae6423cea87121005d9410d976b23fe3a1e5468edb36c2972018d0bf91b624e5d27a064ef3413614b1a6eae71ea49896aa42982b01

Download Submit
C:\Windows\{BFB97F84-7678-4768-8374-D6ADE4E087D2}.exe

Filesize
98KB

MD5
125471d6795c2af748c2152fdfbc1587

SHA1
767e19c631ba36427527f7daad714ae34a59382a

SHA256
611399caf998aa4f6eb1bc3f89df763dc25e87ae03315255dc092498867a6a90

SHA512
197de5621520c80c254c326773c4fdbb250c782c5ce024be2ccd9e600f8141fc9e997db3254737889c16ec67024e376ff51f32530fc3936a2c7d1543d7bb87bc

Download Submit
C:\Windows\{C1C005E1-E350-45f1-A369-98287F626DB9}.exe

Filesize
98KB

MD5
c1901259e12276f8361a5a0b2e1ce887

SHA1
2348d6ef3f2313b34d505fd1d8cf387dbac4d93d

SHA256
2f1c40b3b759c8ac37aa30113d151976f0daf2adadebdc158811121aab5180e2

SHA512
300d198f092689385047c2107e67556530557b62ab1665dcf6c121b319b87faa328c16d65d4bc5f2557f69f0f886973c1fc5fe1081f952fbf86658b053ceab44

Download Submit
C:\Windows\{EB884378-528A-4855-91BC-7F8B5D017661}.exe

Filesize
98KB

MD5
777a61c72a1e8300f4587b04ae600f4b

SHA1
bad2f37784a91255d3911d413db4f080a8baf81e

SHA256
1d460a9053d48c8ec139dd3051ff6bf9af1c1d5fb979dd7e919b71f7b435a4a4

SHA512
9ef244c734376b4fded70c4565b7036fd8048ea3f40fc8d375c3a8df694f8395114c6c6873ecf890878fb1593121294628248c13209103d4f538d112ae0e0148

Download Submit
C:\Windows\{EE62B23E-AC93-4698-A2D7-B2C57548F138}.exe

Filesize
98KB

MD5
8adb053c9d180ddbe2672b8c968b31e9

SHA1
5931925580e2d653c71273d6e5c9872713af9975

SHA256
aaba9e9a9b3ddd1b6afad2e0f2cb0ebdb7d1e1dfc47705ef06eff3e4a6d3294e

SHA512
4314edefc4b95c4e3afa422fe7344c483c1d5ca4190b6201549507d8054281363975c9550f0ac7c2c97439155347db9eead536f726a94f3954c0c6c6c81fa613

Download Submit
memory/356-77-0x0000000000510000-0x0000000000521000-memory.dmp

Filesize
68KB

Download
memory/356-76-0x0000000000510000-0x0000000000521000-memory.dmp

Filesize
68KB

Download
memory/356-79-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1212-98-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1212-92-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/1316-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1316-4-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1316-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1316-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1540-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1540-43-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/1540-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1636-63-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/1636-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1896-101-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/1896-107-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1932-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1932-58-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/1932-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1932-57-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2396-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2396-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2396-33-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/2648-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2648-23-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2648-27-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2648-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2816-83-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2816-87-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2816-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2952-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2952-13-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads