da54a95babcfa980301a49aea43785300359058475d15a7db4953c4f3b90ca56

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

403cd30bf0eaa0b11ab34e9b54c896b0N.exe
Size

88KB
MD5

403cd30bf0eaa0b11ab34e9b54c896b0
SHA1

cbef4bf5856003c5140823483c2b91c88fde6c14
SHA256

da54a95babcfa980301a49aea43785300359058475d15a7db4953c4f3b90ca56
SHA512

452e8c20bd2545fe49815bba0ed5426de08b58dc52d9e673cb4926ec05cffa67e3f679ef6bea1a627cadcdc04083c806bd47cb6a1034bed6a4fe150ca3e4e9fe
SSDEEP

768:5vw9816thKQLroh4/wQkNrfrunMxVFA3V:lEG/0ohlbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}	{CCD68156-0826-446a-9183-C85894736424}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}\stubpath = "C:\\Windows\\{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe"	{CCD68156-0826-446a-9183-C85894736424}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA969755-9564-4ff2-8C33-FDE8D8372199}\stubpath = "C:\\Windows\\{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe"	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD9A051E-82B9-428a-8F3A-0F86F5DA1D53}\stubpath = "C:\\Windows\\{CD9A051E-82B9-428a-8F3A-0F86F5DA1D53}.exe"	{FCEA923F-5138-4a3a-9206-BEB9C1A7A498}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F67A0085-0ADF-444f-ADEA-F88B4C690193}	403cd30bf0eaa0b11ab34e9b54c896b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}\stubpath = "C:\\Windows\\{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe"	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD68156-0826-446a-9183-C85894736424}	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD68156-0826-446a-9183-C85894736424}\stubpath = "C:\\Windows\\{CCD68156-0826-446a-9183-C85894736424}.exe"	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA969755-9564-4ff2-8C33-FDE8D8372199}	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD361BC5-9470-44b9-8D41-BB123C61B557}\stubpath = "C:\\Windows\\{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe"	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCEA923F-5138-4a3a-9206-BEB9C1A7A498}	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCEA923F-5138-4a3a-9206-BEB9C1A7A498}\stubpath = "C:\\Windows\\{FCEA923F-5138-4a3a-9206-BEB9C1A7A498}.exe"	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F67A0085-0ADF-444f-ADEA-F88B4C690193}\stubpath = "C:\\Windows\\{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe"	403cd30bf0eaa0b11ab34e9b54c896b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD361BC5-9470-44b9-8D41-BB123C61B557}	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}\stubpath = "C:\\Windows\\{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe"	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD9A051E-82B9-428a-8F3A-0F86F5DA1D53}	{FCEA923F-5138-4a3a-9206-BEB9C1A7A498}.exe

Deletes itself 1 IoCs

pid	Process
1500	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2520	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe
2768	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe
2812	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe
1004	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe
2100	{CCD68156-0826-446a-9183-C85894736424}.exe
1616	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe
1948	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe
2840	{FCEA923F-5138-4a3a-9206-BEB9C1A7A498}.exe
1688	{CD9A051E-82B9-428a-8F3A-0F86F5DA1D53}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe
File created	C:\Windows\{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe
File created	C:\Windows\{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe
File created	C:\Windows\{CCD68156-0826-446a-9183-C85894736424}.exe	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe
File created	C:\Windows\{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe	{CCD68156-0826-446a-9183-C85894736424}.exe
File created	C:\Windows\{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe
File created	C:\Windows\{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe	403cd30bf0eaa0b11ab34e9b54c896b0N.exe
File created	C:\Windows\{FCEA923F-5138-4a3a-9206-BEB9C1A7A498}.exe	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe
File created	C:\Windows\{CD9A051E-82B9-428a-8F3A-0F86F5DA1D53}.exe	{FCEA923F-5138-4a3a-9206-BEB9C1A7A498}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD9A051E-82B9-428a-8F3A-0F86F5DA1D53}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	403cd30bf0eaa0b11ab34e9b54c896b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FCEA923F-5138-4a3a-9206-BEB9C1A7A498}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCD68156-0826-446a-9183-C85894736424}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2112	403cd30bf0eaa0b11ab34e9b54c896b0N.exe
Token: SeIncBasePriorityPrivilege	2520	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe
Token: SeIncBasePriorityPrivilege	2768	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe
Token: SeIncBasePriorityPrivilege	2812	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe
Token: SeIncBasePriorityPrivilege	1004	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe
Token: SeIncBasePriorityPrivilege	2100	{CCD68156-0826-446a-9183-C85894736424}.exe
Token: SeIncBasePriorityPrivilege	1616	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe
Token: SeIncBasePriorityPrivilege	1948	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe
Token: SeIncBasePriorityPrivilege	2840	{FCEA923F-5138-4a3a-9206-BEB9C1A7A498}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2520	2112	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	31
PID 2112 wrote to memory of 2520	2112	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	31
PID 2112 wrote to memory of 2520	2112	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	31
PID 2112 wrote to memory of 2520	2112	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	31
PID 2112 wrote to memory of 1500	2112	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	32
PID 2112 wrote to memory of 1500	2112	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	32
PID 2112 wrote to memory of 1500	2112	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	32
PID 2112 wrote to memory of 1500	2112	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	32
PID 2520 wrote to memory of 2768	2520	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe	33
PID 2520 wrote to memory of 2768	2520	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe	33
PID 2520 wrote to memory of 2768	2520	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe	33
PID 2520 wrote to memory of 2768	2520	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe	33
PID 2520 wrote to memory of 2896	2520	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe	34
PID 2520 wrote to memory of 2896	2520	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe	34
PID 2520 wrote to memory of 2896	2520	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe	34
PID 2520 wrote to memory of 2896	2520	{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe	34
PID 2768 wrote to memory of 2812	2768	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe	35
PID 2768 wrote to memory of 2812	2768	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe	35
PID 2768 wrote to memory of 2812	2768	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe	35
PID 2768 wrote to memory of 2812	2768	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe	35
PID 2768 wrote to memory of 2964	2768	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe	36
PID 2768 wrote to memory of 2964	2768	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe	36
PID 2768 wrote to memory of 2964	2768	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe	36
PID 2768 wrote to memory of 2964	2768	{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe	36
PID 2812 wrote to memory of 1004	2812	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe	37
PID 2812 wrote to memory of 1004	2812	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe	37
PID 2812 wrote to memory of 1004	2812	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe	37
PID 2812 wrote to memory of 1004	2812	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe	37
PID 2812 wrote to memory of 2648	2812	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe	38
PID 2812 wrote to memory of 2648	2812	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe	38
PID 2812 wrote to memory of 2648	2812	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe	38
PID 2812 wrote to memory of 2648	2812	{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe	38
PID 1004 wrote to memory of 2100	1004	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe	39
PID 1004 wrote to memory of 2100	1004	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe	39
PID 1004 wrote to memory of 2100	1004	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe	39
PID 1004 wrote to memory of 2100	1004	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe	39
PID 1004 wrote to memory of 1716	1004	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe	40
PID 1004 wrote to memory of 1716	1004	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe	40
PID 1004 wrote to memory of 1716	1004	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe	40
PID 1004 wrote to memory of 1716	1004	{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe	40
PID 2100 wrote to memory of 1616	2100	{CCD68156-0826-446a-9183-C85894736424}.exe	41
PID 2100 wrote to memory of 1616	2100	{CCD68156-0826-446a-9183-C85894736424}.exe	41
PID 2100 wrote to memory of 1616	2100	{CCD68156-0826-446a-9183-C85894736424}.exe	41
PID 2100 wrote to memory of 1616	2100	{CCD68156-0826-446a-9183-C85894736424}.exe	41
PID 2100 wrote to memory of 1428	2100	{CCD68156-0826-446a-9183-C85894736424}.exe	42
PID 2100 wrote to memory of 1428	2100	{CCD68156-0826-446a-9183-C85894736424}.exe	42
PID 2100 wrote to memory of 1428	2100	{CCD68156-0826-446a-9183-C85894736424}.exe	42
PID 2100 wrote to memory of 1428	2100	{CCD68156-0826-446a-9183-C85894736424}.exe	42
PID 1616 wrote to memory of 1948	1616	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe	43
PID 1616 wrote to memory of 1948	1616	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe	43
PID 1616 wrote to memory of 1948	1616	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe	43
PID 1616 wrote to memory of 1948	1616	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe	43
PID 1616 wrote to memory of 1692	1616	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe	44
PID 1616 wrote to memory of 1692	1616	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe	44
PID 1616 wrote to memory of 1692	1616	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe	44
PID 1616 wrote to memory of 1692	1616	{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe	44
PID 1948 wrote to memory of 2840	1948	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe	45
PID 1948 wrote to memory of 2840	1948	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe	45
PID 1948 wrote to memory of 2840	1948	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe	45
PID 1948 wrote to memory of 2840	1948	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe	45
PID 1948 wrote to memory of 2960	1948	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe	46
PID 1948 wrote to memory of 2960	1948	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe	46
PID 1948 wrote to memory of 2960	1948	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe	46
PID 1948 wrote to memory of 2960	1948	{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe	46

C:\Users\Admin\AppData\Local\Temp\403cd30bf0eaa0b11ab34e9b54c896b0N.exe
"C:\Users\Admin\AppData\Local\Temp\403cd30bf0eaa0b11ab34e9b54c896b0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe
  C:\Windows\{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe
    C:\Windows\{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe
      C:\Windows\{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe
        
        C:\Windows\{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1004
      - C:\Windows\{CCD68156-0826-446a-9183-C85894736424}.exe
        
        C:\Windows\{CCD68156-0826-446a-9183-C85894736424}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe
        
        C:\Windows\{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe
        
        C:\Windows\{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{FCEA923F-5138-4a3a-9206-BEB9C1A7A498}.exe
        
        C:\Windows\{FCEA923F-5138-4a3a-9206-BEB9C1A7A498}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\{CD9A051E-82B9-428a-8F3A-0F86F5DA1D53}.exe
        
        C:\Windows\{CD9A051E-82B9-428a-8F3A-0F86F5DA1D53}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCEA9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA969~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D87E7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCD68~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1DDE~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{988AB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FD361~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F67A0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\403CD3~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{988ABCA5-8A0D-4e58-BDCE-C40E2AE38F67}.exe

Filesize
88KB

MD5
5768d610942c38b4528553ff8ed053a1

SHA1
078dbacbf4129915dd567cde4e91d1503bfa3839

SHA256
b0c73a7c14288516de874466dd3c5e2e68cb36d626f416f640ecf153f800516e

SHA512
8be4b1c097b107a38b861940ec3b01290d28aab07767e129e02bbf1e666cdf26123fe57dec4cd5ef6070ed5ab77fe5efd55e2f4465e84161e99b9203371116fb

Download Submit
C:\Windows\{C1DDE150-CB69-4e85-9326-3B5AD6A1E364}.exe

Filesize
88KB

MD5
49bd71f77334edc3eef3c29483408b36

SHA1
e55dc3b20d3322db6a22f0d878b6249cd5d5b25b

SHA256
4ccd355ab96fb38c1d1073fb60d08afb4c1445f73a7fe4ad19184cd99847dc7d

SHA512
bb781133aafbf8b66cec2cf46f1f8ceb766d4061d775c78ad4cdd7b737c2523b454c00ea4641fdcbbe17883e761fd0941fc0c7d50bcb208a60b67d8eff9a82cc

Download Submit
C:\Windows\{CCD68156-0826-446a-9183-C85894736424}.exe

Filesize
88KB

MD5
7fe3922b31a085d3c350c1edff3e7809

SHA1
fe00c1e115aef30f424812b8dd0b17eb43cc2e19

SHA256
6e13665c2816ef8cee4667192f53e7d70a21ca457f5331f5fad969c9d14a30ae

SHA512
dfe15922831346c0b1b96b95d89570f992c26cf81ee44707b133fa30445efeb946db6d5ecc04005db34d39e05b953744e41f0fd4955a842201404270a6d1f70f

Download Submit
C:\Windows\{CD9A051E-82B9-428a-8F3A-0F86F5DA1D53}.exe

Filesize
88KB

MD5
ce0281210260a576fbb3086f487cb32d

SHA1
ff41bddbabbeea8d3045c61c1c4afdcf5a5b09b8

SHA256
a0786dbcfbc5b332f278bfb23f35d1f191436c8b119a0e680ae150c3fd1ae563

SHA512
ab4c978a21b510cb1455718a6a29efefe1c874b39c2652fbe3d8261d9bbc6f8535a8e25236289860611e3746a39e07fb08b966d29a7a12d80cb2be2c6b73c551

Download Submit
C:\Windows\{D87E7F55-3CB3-4fc9-9306-9C13A2D3FD33}.exe

Filesize
88KB

MD5
c6e932c6be1b0c30c29efb720fc974d9

SHA1
bb2ea2ed31ba493695b64cff23ac918c5063eb08

SHA256
c537bdacb5281e9705debc3218872a0888591c01c3d9db90a5c7aacb89655fec

SHA512
277504b2e1ca038d8699f9691c251194bfd473eb8d6c9c35498cece1072341f89ec38b41cbe098528be8bf17b9b9ecaed662003b8cb1d141dab5cf05738e3467

Download Submit
C:\Windows\{EA969755-9564-4ff2-8C33-FDE8D8372199}.exe

Filesize
88KB

MD5
228b733f310abd0525a2efaca3a24d5f

SHA1
7590667aef53ffd7ac23b2caaed9e941c02bb2a6

SHA256
5c722ac758caa186a1987f1fd217f7fcb8f7d7b64309973fd937e3a16cb29b35

SHA512
331fd1ebfcefafe017c88f4cd36d1a40ac85dae8565361bca4de87c71ed68cb9a52bba9c4a77ce05f9152b557d877c7164d7803c4205c2d3c5573e2a2509201a

Download Submit
C:\Windows\{F67A0085-0ADF-444f-ADEA-F88B4C690193}.exe

Filesize
88KB

MD5
89281c71346fef45807d4512e9ccac60

SHA1
c4190938fbb1a243fa6c9e21ea1ea8d2d9276786

SHA256
32ca73fb31981a595a60deef92051ed40db10f6cfb5b7be48b0bdf25c5e9dc11

SHA512
51f61803f28fdba37a9d9048179c6492d5aaa7e670574c9ef4ba5bc937c796e0ecf9758d32a22b6a9cdb2d259edfe92b765d33d35691fa505a03725bf2e7e7ff

Download Submit
C:\Windows\{FCEA923F-5138-4a3a-9206-BEB9C1A7A498}.exe

Filesize
88KB

MD5
96541b5dc438d89a0946378d0ebfc14a

SHA1
a9f4e189e60300f3b4f19306e4c85f7df5e39b9c

SHA256
076c29f6733e0844be4a7fd612c3deae2f3c4811ed1229dea3788cda4aba30c6

SHA512
2846c70c009e2d5af307b6bcbe8f427f77540391201fcdad4eea48fcf6381e417b814f7451472570298b6440b94b756bf202aac5ffef74a28808de9e1b8b10df

Download Submit
C:\Windows\{FD361BC5-9470-44b9-8D41-BB123C61B557}.exe

Filesize
88KB

MD5
74ff8a847db9ea5174f956628c3fb089

SHA1
e6278c49a24fc98ba001228d369f1aab08baf387

SHA256
fbee6f0b1040b4c92a767ef2aa02788e28bcdbc04ef8f68fe0abf957f6cebb0f

SHA512
4d884751b1c2fd50654b3c85316a0acc86e6f89ecfb5b1424e1c6d27056980c0714de559534622ab0a31c7cb46633895bcbec89d477b0ea4fc1e8dd54aff5de9

Download Submit
memory/1004-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1004-42-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/1004-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1616-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1616-65-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/1616-66-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/1948-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1948-76-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/1948-72-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/2100-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2100-52-0x0000000001C00000-0x0000000001C11000-memory.dmp

Filesize
68KB

Download
memory/2100-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2112-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2112-4-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/2112-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2112-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2520-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2520-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2520-14-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2768-27-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2768-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2768-23-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2812-33-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2812-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2840-86-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/2840-82-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/2840-87-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads