da54a95babcfa980301a49aea43785300359058475d15a7db4953c4f3b90ca56

Analysis

max time kernel
118s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

403cd30bf0eaa0b11ab34e9b54c896b0N.exe
Size

88KB
MD5

403cd30bf0eaa0b11ab34e9b54c896b0
SHA1

cbef4bf5856003c5140823483c2b91c88fde6c14
SHA256

da54a95babcfa980301a49aea43785300359058475d15a7db4953c4f3b90ca56
SHA512

452e8c20bd2545fe49815bba0ed5426de08b58dc52d9e673cb4926ec05cffa67e3f679ef6bea1a627cadcdc04083c806bd47cb6a1034bed6a4fe150ca3e4e9fe
SSDEEP

768:5vw9816thKQLroh4/wQkNrfrunMxVFA3V:lEG/0ohlbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA3C9160-E7BD-4106-82A9-00B2FCFE869C}	{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}\stubpath = "C:\\Windows\\{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe"	{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F25ED526-2833-4432-A375-10658F3A0786}	{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DF2DB90-870D-491a-80C0-1B568F0C15D8}	{F25ED526-2833-4432-A375-10658F3A0786}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DF2DB90-870D-491a-80C0-1B568F0C15D8}\stubpath = "C:\\Windows\\{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe"	{F25ED526-2833-4432-A375-10658F3A0786}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}	{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}\stubpath = "C:\\Windows\\{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe"	{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}	{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}	{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}	{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}\stubpath = "C:\\Windows\\{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe"	{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}	403cd30bf0eaa0b11ab34e9b54c896b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}\stubpath = "C:\\Windows\\{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe"	403cd30bf0eaa0b11ab34e9b54c896b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}\stubpath = "C:\\Windows\\{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe"	{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}\stubpath = "C:\\Windows\\{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe"	{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}	{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F25ED526-2833-4432-A375-10658F3A0786}\stubpath = "C:\\Windows\\{F25ED526-2833-4432-A375-10658F3A0786}.exe"	{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA3C9160-E7BD-4106-82A9-00B2FCFE869C}\stubpath = "C:\\Windows\\{FA3C9160-E7BD-4106-82A9-00B2FCFE869C}.exe"	{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe

Executes dropped EXE 9 IoCs

pid	Process
4288	{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe
2712	{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe
2320	{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe
2864	{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe
3964	{F25ED526-2833-4432-A375-10658F3A0786}.exe
2736	{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe
1428	{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe
4336	{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe
3504	{FA3C9160-E7BD-4106-82A9-00B2FCFE869C}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe	{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe
File created	C:\Windows\{F25ED526-2833-4432-A375-10658F3A0786}.exe	{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe
File created	C:\Windows\{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe	403cd30bf0eaa0b11ab34e9b54c896b0N.exe
File created	C:\Windows\{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe	{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe
File created	C:\Windows\{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe	{F25ED526-2833-4432-A375-10658F3A0786}.exe
File created	C:\Windows\{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe	{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe
File created	C:\Windows\{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe	{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe
File created	C:\Windows\{FA3C9160-E7BD-4106-82A9-00B2FCFE869C}.exe	{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe
File created	C:\Windows\{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe	{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	403cd30bf0eaa0b11ab34e9b54c896b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA3C9160-E7BD-4106-82A9-00B2FCFE869C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F25ED526-2833-4432-A375-10658F3A0786}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4888	403cd30bf0eaa0b11ab34e9b54c896b0N.exe
Token: SeIncBasePriorityPrivilege	4288	{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe
Token: SeIncBasePriorityPrivilege	2712	{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe
Token: SeIncBasePriorityPrivilege	2320	{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe
Token: SeIncBasePriorityPrivilege	2864	{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe
Token: SeIncBasePriorityPrivilege	3964	{F25ED526-2833-4432-A375-10658F3A0786}.exe
Token: SeIncBasePriorityPrivilege	2736	{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe
Token: SeIncBasePriorityPrivilege	1428	{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe
Token: SeIncBasePriorityPrivilege	4336	{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4288	4888	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	93
PID 4888 wrote to memory of 4288	4888	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	93
PID 4888 wrote to memory of 4288	4888	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	93
PID 4888 wrote to memory of 4968	4888	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	94
PID 4888 wrote to memory of 4968	4888	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	94
PID 4888 wrote to memory of 4968	4888	403cd30bf0eaa0b11ab34e9b54c896b0N.exe	94
PID 4288 wrote to memory of 2712	4288	{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe	95
PID 4288 wrote to memory of 2712	4288	{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe	95
PID 4288 wrote to memory of 2712	4288	{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe	95
PID 4288 wrote to memory of 3144	4288	{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe	96
PID 4288 wrote to memory of 3144	4288	{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe	96
PID 4288 wrote to memory of 3144	4288	{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe	96
PID 2712 wrote to memory of 2320	2712	{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe	99
PID 2712 wrote to memory of 2320	2712	{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe	99
PID 2712 wrote to memory of 2320	2712	{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe	99
PID 2712 wrote to memory of 3972	2712	{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe	100
PID 2712 wrote to memory of 3972	2712	{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe	100
PID 2712 wrote to memory of 3972	2712	{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe	100
PID 2320 wrote to memory of 2864	2320	{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe	101
PID 2320 wrote to memory of 2864	2320	{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe	101
PID 2320 wrote to memory of 2864	2320	{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe	101
PID 2320 wrote to memory of 2600	2320	{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe	102
PID 2320 wrote to memory of 2600	2320	{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe	102
PID 2320 wrote to memory of 2600	2320	{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe	102
PID 2864 wrote to memory of 3964	2864	{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe	103
PID 2864 wrote to memory of 3964	2864	{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe	103
PID 2864 wrote to memory of 3964	2864	{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe	103
PID 2864 wrote to memory of 1408	2864	{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe	104
PID 2864 wrote to memory of 1408	2864	{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe	104
PID 2864 wrote to memory of 1408	2864	{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe	104
PID 3964 wrote to memory of 2736	3964	{F25ED526-2833-4432-A375-10658F3A0786}.exe	105
PID 3964 wrote to memory of 2736	3964	{F25ED526-2833-4432-A375-10658F3A0786}.exe	105
PID 3964 wrote to memory of 2736	3964	{F25ED526-2833-4432-A375-10658F3A0786}.exe	105
PID 3964 wrote to memory of 2204	3964	{F25ED526-2833-4432-A375-10658F3A0786}.exe	106
PID 3964 wrote to memory of 2204	3964	{F25ED526-2833-4432-A375-10658F3A0786}.exe	106
PID 3964 wrote to memory of 2204	3964	{F25ED526-2833-4432-A375-10658F3A0786}.exe	106
PID 2736 wrote to memory of 1428	2736	{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe	107
PID 2736 wrote to memory of 1428	2736	{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe	107
PID 2736 wrote to memory of 1428	2736	{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe	107
PID 2736 wrote to memory of 1840	2736	{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe	108
PID 2736 wrote to memory of 1840	2736	{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe	108
PID 2736 wrote to memory of 1840	2736	{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe	108
PID 1428 wrote to memory of 4336	1428	{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe	109
PID 1428 wrote to memory of 4336	1428	{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe	109
PID 1428 wrote to memory of 4336	1428	{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe	109
PID 1428 wrote to memory of 3684	1428	{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe	110
PID 1428 wrote to memory of 3684	1428	{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe	110
PID 1428 wrote to memory of 3684	1428	{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe	110
PID 4336 wrote to memory of 3504	4336	{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe	111
PID 4336 wrote to memory of 3504	4336	{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe	111
PID 4336 wrote to memory of 3504	4336	{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe	111
PID 4336 wrote to memory of 1692	4336	{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe	112
PID 4336 wrote to memory of 1692	4336	{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe	112
PID 4336 wrote to memory of 1692	4336	{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe	112

C:\Users\Admin\AppData\Local\Temp\403cd30bf0eaa0b11ab34e9b54c896b0N.exe
"C:\Users\Admin\AppData\Local\Temp\403cd30bf0eaa0b11ab34e9b54c896b0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe
  C:\Windows\{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe
    C:\Windows\{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe
      C:\Windows\{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Windows\{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe
        
        C:\Windows\{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\{F25ED526-2833-4432-A375-10658F3A0786}.exe
        
        C:\Windows\{F25ED526-2833-4432-A375-10658F3A0786}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe
        
        C:\Windows\{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe
        
        C:\Windows\{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe
        
        C:\Windows\{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{FA3C9160-E7BD-4106-82A9-00B2FCFE869C}.exe
        
        C:\Windows\{FA3C9160-E7BD-4106-82A9-00B2FCFE869C}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DF6D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3417F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DF2D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F25ED~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B39F9~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C244~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A8C30~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{21BB0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\403CD3~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DF2DB90-870D-491a-80C0-1B568F0C15D8}.exe

Filesize
88KB

MD5
79c17389b5e89b46ed6180a3ce617ebd

SHA1
0d8969cc38fabfe90c8ea718187ba191a109da19

SHA256
71535cf1820cc2b8ec57420e2b207f2cc85d344d4ea2fb83d11d0d14620227a0

SHA512
aad7745371ab853a36af4f4433353849ee24c157d1b47ab71665c46edfbe2ceb5107c7aa46d0f8e44e64c551919fdfbd22291c2f2c8743deaa7497e2c3f87731

Download Submit
C:\Windows\{21BB0F2A-F553-40b5-B35D-DD0A29EE16F6}.exe

Filesize
88KB

MD5
f22f31361a8fa8f3489d559814849e9c

SHA1
d3b4d7d71a460fbc764873960bc37169425b3cf6

SHA256
82a2b22a57e1e2318cffd47d4bcfd578cfca435bfbe3679a6d90b123daafdfd5

SHA512
24041a9d3d311cdaabe326f03d67d8177a3229cec0cf830fe8559adb160105ca48cac59f214e5514a2927dc04268e19770badef6be8c60ee59947a595468da87

Download Submit
C:\Windows\{3417FF6B-EFE2-4ac1-8954-4CDF26E7B2C9}.exe

Filesize
88KB

MD5
c6c9a8fe929c221a135e9ddd4895a56d

SHA1
e0bb9bc62aa7bb886fcb57277ea922dca42b029d

SHA256
43a2a9cba4509624096247406615fb90936ce3f4579713dbdcd222380a33cf07

SHA512
a8fc17641e1bdf77b62caa0d18fb792f38399419ecc68117e42afd5f4091cf4efa1a35d77b3bf80eeb89b07e2657d60e371d9a4a197b0a0d5eb81d06537c8cda

Download Submit
C:\Windows\{4C244B74-D2A9-4d5b-9F0B-840245CB5FAD}.exe

Filesize
88KB

MD5
9ae64269526b5a3650fac27cb69215aa

SHA1
a098a10b7531ea2af9147cd6978678c8779ab211

SHA256
b7e63cc1735858568e7744b5ffa1779c6bc7d65c9dd184b355cece7648396c76

SHA512
0fa6a73c30d858186663b292a881e91878284cd6002c502249c3e03b5f4450e1d392f9127ed00a5afb5c83a1d2132c219e256dd7be5f3a30157884c21edda684

Download Submit
C:\Windows\{6DF6D1F8-D1E8-4157-AE5A-13E9BE9C9FFB}.exe

Filesize
88KB

MD5
07d7157caabda66065e32fc7777e43e8

SHA1
b5b2d5f8baa4559c7d610ab909b099f5c8838632

SHA256
fdb09744931e8cadd87eded2e7a84d84d5023f5d9d2c1c9626b335e71a4e02f3

SHA512
ab2d6c64f95fb8eda23fbb1832b079528129cc5dc72d91bfc7eab2876f7871a7fa7766ebbaff2ed62149974475b924dd9c9c38b919cf6cf5120f111056a1491b

Download Submit
C:\Windows\{A8C303F7-C6DE-4b97-8EB8-6A4722B4CDF5}.exe

Filesize
88KB

MD5
4b950ae2a9cdeb85385f082ab253a1fb

SHA1
a85b389432ce4a99792738944b8edbb14734a1f1

SHA256
7b616e6ec742758bb2ad6dfcc8cad94643c45055f289c26b69bc0182bd287ccc

SHA512
b356154b031d011ccc34f7c4bd2593c2cdd4984b51cd9f37bb0eee068a16bc0af6362a7bc940c83ed9113a79cb25b485ca106af3d04bcd02aca8e43031b8bfdd

Download Submit
C:\Windows\{B39F9594-C5A6-4b1c-A2BB-F47DA9F7B477}.exe

Filesize
88KB

MD5
c09392ffd794ce86b9c2e987ec741b58

SHA1
2e0a283112690f3fe38a32b58679be7ede41ca64

SHA256
bbfe94d4ce08d0eb833dff1057979ddecb58708da6f5199eaf81cdc2eee64d8f

SHA512
a0ba2aa14091bb070e1903fe15e3eb2aecdb33be8e1590cb8554636a11fd7e4f911fab17d17740cfa3f218ff9ce09be1e64df97ed234c685f5e6a738660bc30a

Download Submit
C:\Windows\{F25ED526-2833-4432-A375-10658F3A0786}.exe

Filesize
88KB

MD5
493bab8345c517a03d33aa8bb50d9060

SHA1
f5a4092d479312e965bf9d2fabf6b34931c60cdc

SHA256
015f7c52b9c46465cea199efbb641eb19d1e866f714a5dff42ba3024ec3db0d5

SHA512
52c8776695166de854de63f139e4a272f01c780aa01c0717b4b3a31ecb3e117917d63c794ffd6d01396ccb16e8030b3a60304ecdb6d6d515c52562286fde8f0f

Download Submit
C:\Windows\{FA3C9160-E7BD-4106-82A9-00B2FCFE869C}.exe

Filesize
88KB

MD5
46c9c348927386ee12207381d66daaa5

SHA1
404b41fafb677d27dd418235cfb25b9030f1d87f

SHA256
26b632d74c9be183941a8a9b63092fb59a163270b8932831de593761a68d54fe

SHA512
1e30068283e8e1e1fb45c5a7f3e5a25bbc2eb3aaa3705e3bfad0a169c3c7d5bf722c67085cf503b975fcdfbd0e1b8c0ba4cf431fb5db9669ed44e8dcb02a1081

Download Submit
memory/1428-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1428-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2320-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2320-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2712-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2712-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2736-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2736-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2864-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2864-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3504-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3964-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3964-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4288-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4288-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4288-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4336-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4336-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4888-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4888-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4888-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads