52bd24c60372be778b06c967d9ff13760e5d0ddd9792b82a9405172c21e5dc1d

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95c0c7ce6bbe3816aed1a093b7d36c00N.exe
Size

88KB
MD5

95c0c7ce6bbe3816aed1a093b7d36c00
SHA1

f17532a6b302af982b306b298b277f98180463d9
SHA256

52bd24c60372be778b06c967d9ff13760e5d0ddd9792b82a9405172c21e5dc1d
SHA512

cbdbe46c5e0f0dc9bcb2d8c81613ba4921b06957c26dcaffe2e9839785983db19136653c6f1d9c63178248e7247060a71ee2035b8c205b2d4e7a645b22d2f5e4
SSDEEP

768:5vw9816thKQLrog4/wQkNrfrunMxVFA3V:lEG/0oglbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03ABBE41-4FF7-4c69-B6A0-3B38D48CB5A0}	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D169CAC-60AA-4881-965C-7DEDCF14FB78}\stubpath = "C:\\Windows\\{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe"	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{252B5FA7-EF23-4fe9-9347-8037737D6AD8}	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{252B5FA7-EF23-4fe9-9347-8037737D6AD8}\stubpath = "C:\\Windows\\{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe"	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}\stubpath = "C:\\Windows\\{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe"	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB6ECB9C-F6AB-4fed-881C-75EA5F3B0D5F}\stubpath = "C:\\Windows\\{AB6ECB9C-F6AB-4fed-881C-75EA5F3B0D5F}.exe"	{03ABBE41-4FF7-4c69-B6A0-3B38D48CB5A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}\stubpath = "C:\\Windows\\{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe"	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D169CAC-60AA-4881-965C-7DEDCF14FB78}	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53F4F30E-47DA-4997-A78E-DEBA23370AEF}\stubpath = "C:\\Windows\\{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe"	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}	95c0c7ce6bbe3816aed1a093b7d36c00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}\stubpath = "C:\\Windows\\{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe"	95c0c7ce6bbe3816aed1a093b7d36c00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5662C582-9E3B-49ee-ADD7-512E8865C9B5}	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5662C582-9E3B-49ee-ADD7-512E8865C9B5}\stubpath = "C:\\Windows\\{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe"	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53F4F30E-47DA-4997-A78E-DEBA23370AEF}	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03ABBE41-4FF7-4c69-B6A0-3B38D48CB5A0}\stubpath = "C:\\Windows\\{03ABBE41-4FF7-4c69-B6A0-3B38D48CB5A0}.exe"	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB6ECB9C-F6AB-4fed-881C-75EA5F3B0D5F}	{03ABBE41-4FF7-4c69-B6A0-3B38D48CB5A0}.exe

Deletes itself 1 IoCs

pid	Process
2112	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
3016	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe
2608	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe
2852	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe
2884	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe
1268	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe
2076	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe
2296	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe
2544	{03ABBE41-4FF7-4c69-B6A0-3B38D48CB5A0}.exe
1976	{AB6ECB9C-F6AB-4fed-881C-75EA5F3B0D5F}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe
File created	C:\Windows\{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe
File created	C:\Windows\{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe
File created	C:\Windows\{AB6ECB9C-F6AB-4fed-881C-75EA5F3B0D5F}.exe	{03ABBE41-4FF7-4c69-B6A0-3B38D48CB5A0}.exe
File created	C:\Windows\{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe
File created	C:\Windows\{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe
File created	C:\Windows\{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe
File created	C:\Windows\{03ABBE41-4FF7-4c69-B6A0-3B38D48CB5A0}.exe	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe
File created	C:\Windows\{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe	95c0c7ce6bbe3816aed1a093b7d36c00N.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03ABBE41-4FF7-4c69-B6A0-3B38D48CB5A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AB6ECB9C-F6AB-4fed-881C-75EA5F3B0D5F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95c0c7ce6bbe3816aed1a093b7d36c00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2704	95c0c7ce6bbe3816aed1a093b7d36c00N.exe
Token: SeIncBasePriorityPrivilege	3016	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe
Token: SeIncBasePriorityPrivilege	2608	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe
Token: SeIncBasePriorityPrivilege	2852	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe
Token: SeIncBasePriorityPrivilege	2884	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe
Token: SeIncBasePriorityPrivilege	1268	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe
Token: SeIncBasePriorityPrivilege	2076	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe
Token: SeIncBasePriorityPrivilege	2296	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe
Token: SeIncBasePriorityPrivilege	2544	{03ABBE41-4FF7-4c69-B6A0-3B38D48CB5A0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 3016	2704	95c0c7ce6bbe3816aed1a093b7d36c00N.exe	31
PID 2704 wrote to memory of 3016	2704	95c0c7ce6bbe3816aed1a093b7d36c00N.exe	31
PID 2704 wrote to memory of 3016	2704	95c0c7ce6bbe3816aed1a093b7d36c00N.exe	31
PID 2704 wrote to memory of 3016	2704	95c0c7ce6bbe3816aed1a093b7d36c00N.exe	31
PID 2704 wrote to memory of 2112	2704	95c0c7ce6bbe3816aed1a093b7d36c00N.exe	32
PID 2704 wrote to memory of 2112	2704	95c0c7ce6bbe3816aed1a093b7d36c00N.exe	32
PID 2704 wrote to memory of 2112	2704	95c0c7ce6bbe3816aed1a093b7d36c00N.exe	32
PID 2704 wrote to memory of 2112	2704	95c0c7ce6bbe3816aed1a093b7d36c00N.exe	32
PID 3016 wrote to memory of 2608	3016	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe	33
PID 3016 wrote to memory of 2608	3016	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe	33
PID 3016 wrote to memory of 2608	3016	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe	33
PID 3016 wrote to memory of 2608	3016	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe	33
PID 3016 wrote to memory of 2556	3016	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe	34
PID 3016 wrote to memory of 2556	3016	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe	34
PID 3016 wrote to memory of 2556	3016	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe	34
PID 3016 wrote to memory of 2556	3016	{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe	34
PID 2608 wrote to memory of 2852	2608	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe	35
PID 2608 wrote to memory of 2852	2608	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe	35
PID 2608 wrote to memory of 2852	2608	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe	35
PID 2608 wrote to memory of 2852	2608	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe	35
PID 2608 wrote to memory of 2616	2608	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe	36
PID 2608 wrote to memory of 2616	2608	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe	36
PID 2608 wrote to memory of 2616	2608	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe	36
PID 2608 wrote to memory of 2616	2608	{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe	36
PID 2852 wrote to memory of 2884	2852	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe	37
PID 2852 wrote to memory of 2884	2852	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe	37
PID 2852 wrote to memory of 2884	2852	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe	37
PID 2852 wrote to memory of 2884	2852	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe	37
PID 2852 wrote to memory of 2056	2852	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe	38
PID 2852 wrote to memory of 2056	2852	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe	38
PID 2852 wrote to memory of 2056	2852	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe	38
PID 2852 wrote to memory of 2056	2852	{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe	38
PID 2884 wrote to memory of 1268	2884	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe	39
PID 2884 wrote to memory of 1268	2884	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe	39
PID 2884 wrote to memory of 1268	2884	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe	39
PID 2884 wrote to memory of 1268	2884	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe	39
PID 2884 wrote to memory of 348	2884	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe	40
PID 2884 wrote to memory of 348	2884	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe	40
PID 2884 wrote to memory of 348	2884	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe	40
PID 2884 wrote to memory of 348	2884	{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe	40
PID 1268 wrote to memory of 2076	1268	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe	41
PID 1268 wrote to memory of 2076	1268	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe	41
PID 1268 wrote to memory of 2076	1268	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe	41
PID 1268 wrote to memory of 2076	1268	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe	41
PID 1268 wrote to memory of 1036	1268	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe	42
PID 1268 wrote to memory of 1036	1268	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe	42
PID 1268 wrote to memory of 1036	1268	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe	42
PID 1268 wrote to memory of 1036	1268	{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe	42
PID 2076 wrote to memory of 2296	2076	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe	43
PID 2076 wrote to memory of 2296	2076	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe	43
PID 2076 wrote to memory of 2296	2076	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe	43
PID 2076 wrote to memory of 2296	2076	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe	43
PID 2076 wrote to memory of 1128	2076	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe	44
PID 2076 wrote to memory of 1128	2076	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe	44
PID 2076 wrote to memory of 1128	2076	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe	44
PID 2076 wrote to memory of 1128	2076	{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe	44
PID 2296 wrote to memory of 2544	2296	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe	45
PID 2296 wrote to memory of 2544	2296	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe	45
PID 2296 wrote to memory of 2544	2296	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe	45
PID 2296 wrote to memory of 2544	2296	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe	45
PID 2296 wrote to memory of 2128	2296	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe	46
PID 2296 wrote to memory of 2128	2296	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe	46
PID 2296 wrote to memory of 2128	2296	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe	46
PID 2296 wrote to memory of 2128	2296	{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe	46

C:\Users\Admin\AppData\Local\Temp\95c0c7ce6bbe3816aed1a093b7d36c00N.exe
"C:\Users\Admin\AppData\Local\Temp\95c0c7ce6bbe3816aed1a093b7d36c00N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe
  C:\Windows\{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe
    C:\Windows\{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe
      C:\Windows\{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe
        
        C:\Windows\{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe
        
        C:\Windows\{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe
        
        C:\Windows\{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe
        
        C:\Windows\{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{03ABBE41-4FF7-4c69-B6A0-3B38D48CB5A0}.exe
        
        C:\Windows\{03ABBE41-4FF7-4c69-B6A0-3B38D48CB5A0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\{AB6ECB9C-F6AB-4fed-881C-75EA5F3B0D5F}.exe
        
        C:\Windows\{AB6ECB9C-F6AB-4fed-881C-75EA5F3B0D5F}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03ABB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2A27~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53F4F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5662C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{252B5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D169~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A0D70~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1AC78~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\95C0C7~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03ABBE41-4FF7-4c69-B6A0-3B38D48CB5A0}.exe

Filesize
88KB

MD5
3029a6ece8febe6c07753ef99004e913

SHA1
960ed4c4d81720f07860528840c23d45b7eff6d0

SHA256
7b172e6b54d5200d1e0e36a6d4baffcb6a6893d55b418a320e417ae023d7c7da

SHA512
a83c9e00925525114f9880b31996d446b1af399dc19f9dc8a8c67c14892a565a373bcb798e56b0d974812a3ec2d080a47f0d530d361863c5a1fafa6e49072491

Download Submit
C:\Windows\{1AC788BD-503A-4675-9E2F-596B0CA2E5DE}.exe

Filesize
88KB

MD5
9210ec4ec7ee3136e1c16c3cba9b2b64

SHA1
a7c950cfa9d9f6964e3a5decbe74a9573dbffc16

SHA256
e38aaafc358d05e548fd5129a024e213641b959ed51379c03d44f336f9111825

SHA512
8ec20328f64ab0f13de54c43e939d2682f40dfbd1c15b4413a39b721ed2e44ba7eb0a3afd9997e13425158efbd340d0b589fcf831cf59fd621997009cfdc4637

Download Submit
C:\Windows\{252B5FA7-EF23-4fe9-9347-8037737D6AD8}.exe

Filesize
88KB

MD5
84eb5cef9b682ddb70f55bae34a55e4c

SHA1
2f1af0909a78c26530becb71825b00de40f1b2ed

SHA256
41826b0ab0d1c199bc542e62ea42f1623e2faa5db9a729d89319630131c09d3d

SHA512
8044029a7c3429d591239762124b1e30b421ffc8c7165a4e6e64bf769126d82163760f678674b46717c769912b644b6e5a1abfc46d43c851eb499295c30dd28c

Download Submit
C:\Windows\{53F4F30E-47DA-4997-A78E-DEBA23370AEF}.exe

Filesize
88KB

MD5
efdadd1a4b77b4f10f1734fed697ebe5

SHA1
539d80f5276e5f54ba58c4f24f93186ebfe1f941

SHA256
2472609816fddaec3aff49c0f0b40eb69a9704ec47fe8d494cd6f355eacdf0b0

SHA512
2ba0f9866ef63aa5b58fc1e87a5aeb01db6c783b484025abded965ad99b355b6ffaf9a788ab426559586974046b62f3e0e322e000cb8d917771e972b493d1219

Download Submit
C:\Windows\{5662C582-9E3B-49ee-ADD7-512E8865C9B5}.exe

Filesize
88KB

MD5
526c1ae2b6c152959dd5fe444970c860

SHA1
73d788f7667229f9237c646bd1a55175dce61ca8

SHA256
63225797b2b8876694848612434d401e8ce334c657906c744bda1ec8279d9afa

SHA512
d9a348c7cfa666f54ba454d69f750bf842fc281ae32b9b7aec113e0034b52b50bdbab905f8c370c4ea48775911a5c472006d3bd25f84a228662e53b7fba2e6b3

Download Submit
C:\Windows\{7D169CAC-60AA-4881-965C-7DEDCF14FB78}.exe

Filesize
88KB

MD5
2c75e3704b945919080544ac95f7d491

SHA1
dfc78865ea6cf56cd503ff6d0235b15aa86a9867

SHA256
e5cbee01ccdb798d20f6a47188b194226988813cb72182d78dec3a0e7732dd1c

SHA512
1b32ec4cd8006862b0a05cfa86e4bcafdc470bdcf81f3642368a8885d45983c3645453c42293fde7da069e547824b3a8e56a97c4c7a88df439a875064a2f2615

Download Submit
C:\Windows\{A0D701B8-2733-4bf4-BE4F-2FB7F56ACE6D}.exe

Filesize
88KB

MD5
7c0f31f85ea9bcb129d91a5b157162dc

SHA1
ae28d3fafe08f6a41bf71ba3c8e18d1b331e0cfd

SHA256
8bae721cb39029ffa1fde9cc8d03ba6d5cb4d27b134e313249144a3e73f86709

SHA512
3515779b29ee3dc16a5e076fc4a8eb80513e96b663d36cc51de29a17da933950072a221fb6f10007bf026582c891dbac3e629ba46476ca87809c0b84aa945032

Download Submit
C:\Windows\{AB6ECB9C-F6AB-4fed-881C-75EA5F3B0D5F}.exe

Filesize
88KB

MD5
6b4eacdd3bcb3508eed621086fc9f797

SHA1
a4eea7db81e7011762c3086e806c9d72e8b5590e

SHA256
a96a3badea31717eb454e27e1842513360f22b5d3699d0ae9625d61ace89edc9

SHA512
f077c39d72d68dc22d604a2b208000034a8c914995c8fa16dc80e0467f0187dc5f004773ffed25b7eed739a8432aee61bbc3d9e9ca9c67e3766b5002251b2aa1

Download Submit
C:\Windows\{D2A27DFC-A4FC-40c5-A97B-ACE87B84B8D5}.exe

Filesize
88KB

MD5
f219895f0787ae3178b8088b79c5d817

SHA1
cfeb8b5ca3725184329cd7a08e4109612ee2e37e

SHA256
a985c161d0336482befa4c7e0e30625fb37fe65c82d0abce764f8282fe7a8f09

SHA512
eadfc760583d11850766a1d0a80a517dbd6ac3f71ae3ec4866d8169854f5c340abd1687b974da68eb72d42444700dfc30de7300e55c6e5d57d9f2d17001d16e4

Download Submit
memory/1268-54-0x0000000000470000-0x0000000000481000-memory.dmp

Filesize
68KB

Download
memory/1268-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1268-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1268-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1976-90-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2076-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2076-68-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2076-64-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2296-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2296-75-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/2296-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2544-83-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/2544-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-23-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2704-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2704-4-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/2704-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2704-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2852-39-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2852-32-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2852-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2884-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2884-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2884-43-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/3016-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3016-14-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/3016-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads