b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
Size

90KB
MD5

679da92d799ea9a74f171fe40d783dcb
SHA1

b0687033cf4c64b98aaf4fad60d2331faa87d3f8
SHA256

b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5
SHA512

bc63ebe4981fac675d9145a9c646abf548bcc1b0ccafa1c2313c294031b0f81a7abab81eb6c8685a3f806a6fa75a0ac2561428c0076a96e4fac2cae894981761
SSDEEP

768:Qvw9816vhKQLrop4/wQRNrfrunMxVFA3b7glws:YEGh0opl2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{084646CC-C76D-4522-9B87-CCEE842F3056}\stubpath = "C:\\Windows\\{084646CC-C76D-4522-9B87-CCEE842F3056}.exe"	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383B50B4-A52A-462b-89AA-77FC39EF7F4C}\stubpath = "C:\\Windows\\{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe"	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}\stubpath = "C:\\Windows\\{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe"	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{992F23DC-DF63-4d87-8362-4F6D91A2978D}\stubpath = "C:\\Windows\\{992F23DC-DF63-4d87-8362-4F6D91A2978D}.exe"	{675B4857-6051-42d8-B76C-3044E8EB11F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CDD982E-2517-466e-AD31-B348EEAE5024}\stubpath = "C:\\Windows\\{2CDD982E-2517-466e-AD31-B348EEAE5024}.exe"	{992F23DC-DF63-4d87-8362-4F6D91A2978D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C20246C7-BE10-4958-8985-3C305BBF32F5}\stubpath = "C:\\Windows\\{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe"	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B5DB6C4-ED90-448a-A076-6797F5F01E71}	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05B3CB77-13E2-4983-8212-FBE4327F78E3}\stubpath = "C:\\Windows\\{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe"	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89E75A94-2C48-4cc9-A8E2-C6A887B9FF6D}\stubpath = "C:\\Windows\\{89E75A94-2C48-4cc9-A8E2-C6A887B9FF6D}.exe"	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{675B4857-6051-42d8-B76C-3044E8EB11F4}	{89E75A94-2C48-4cc9-A8E2-C6A887B9FF6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CDD982E-2517-466e-AD31-B348EEAE5024}	{992F23DC-DF63-4d87-8362-4F6D91A2978D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C20246C7-BE10-4958-8985-3C305BBF32F5}	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383B50B4-A52A-462b-89AA-77FC39EF7F4C}	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B5DB6C4-ED90-448a-A076-6797F5F01E71}\stubpath = "C:\\Windows\\{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe"	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89E75A94-2C48-4cc9-A8E2-C6A887B9FF6D}	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{675B4857-6051-42d8-B76C-3044E8EB11F4}\stubpath = "C:\\Windows\\{675B4857-6051-42d8-B76C-3044E8EB11F4}.exe"	{89E75A94-2C48-4cc9-A8E2-C6A887B9FF6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{992F23DC-DF63-4d87-8362-4F6D91A2978D}	{675B4857-6051-42d8-B76C-3044E8EB11F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{084646CC-C76D-4522-9B87-CCEE842F3056}	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05B3CB77-13E2-4983-8212-FBE4327F78E3}	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}\stubpath = "C:\\Windows\\{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe"	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe

Deletes itself 1 IoCs

pid	Process
912	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2084	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe
2812	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe
2912	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe
2864	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe
2312	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe
2348	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe
2860	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe
2852	{89E75A94-2C48-4cc9-A8E2-C6A887B9FF6D}.exe
2496	{675B4857-6051-42d8-B76C-3044E8EB11F4}.exe
1084	{992F23DC-DF63-4d87-8362-4F6D91A2978D}.exe
2108	{2CDD982E-2517-466e-AD31-B348EEAE5024}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2CDD982E-2517-466e-AD31-B348EEAE5024}.exe	{992F23DC-DF63-4d87-8362-4F6D91A2978D}.exe
File created	C:\Windows\{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
File created	C:\Windows\{084646CC-C76D-4522-9B87-CCEE842F3056}.exe	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe
File created	C:\Windows\{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe
File created	C:\Windows\{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe
File created	C:\Windows\{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe
File created	C:\Windows\{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe
File created	C:\Windows\{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe
File created	C:\Windows\{89E75A94-2C48-4cc9-A8E2-C6A887B9FF6D}.exe	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe
File created	C:\Windows\{675B4857-6051-42d8-B76C-3044E8EB11F4}.exe	{89E75A94-2C48-4cc9-A8E2-C6A887B9FF6D}.exe
File created	C:\Windows\{992F23DC-DF63-4d87-8362-4F6D91A2978D}.exe	{675B4857-6051-42d8-B76C-3044E8EB11F4}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{675B4857-6051-42d8-B76C-3044E8EB11F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{992F23DC-DF63-4d87-8362-4F6D91A2978D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2CDD982E-2517-466e-AD31-B348EEAE5024}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{89E75A94-2C48-4cc9-A8E2-C6A887B9FF6D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2540	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
Token: SeIncBasePriorityPrivilege	2084	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe
Token: SeIncBasePriorityPrivilege	2812	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe
Token: SeIncBasePriorityPrivilege	2912	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe
Token: SeIncBasePriorityPrivilege	2864	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe
Token: SeIncBasePriorityPrivilege	2312	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe
Token: SeIncBasePriorityPrivilege	2348	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe
Token: SeIncBasePriorityPrivilege	2860	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe
Token: SeIncBasePriorityPrivilege	2852	{89E75A94-2C48-4cc9-A8E2-C6A887B9FF6D}.exe
Token: SeIncBasePriorityPrivilege	2496	{675B4857-6051-42d8-B76C-3044E8EB11F4}.exe
Token: SeIncBasePriorityPrivilege	1084	{992F23DC-DF63-4d87-8362-4F6D91A2978D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2084	2540	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	29
PID 2540 wrote to memory of 2084	2540	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	29
PID 2540 wrote to memory of 2084	2540	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	29
PID 2540 wrote to memory of 2084	2540	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	29
PID 2540 wrote to memory of 912	2540	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	30
PID 2540 wrote to memory of 912	2540	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	30
PID 2540 wrote to memory of 912	2540	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	30
PID 2540 wrote to memory of 912	2540	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	30
PID 2084 wrote to memory of 2812	2084	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe	31
PID 2084 wrote to memory of 2812	2084	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe	31
PID 2084 wrote to memory of 2812	2084	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe	31
PID 2084 wrote to memory of 2812	2084	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe	31
PID 2084 wrote to memory of 2840	2084	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe	32
PID 2084 wrote to memory of 2840	2084	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe	32
PID 2084 wrote to memory of 2840	2084	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe	32
PID 2084 wrote to memory of 2840	2084	{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe	32
PID 2812 wrote to memory of 2912	2812	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe	33
PID 2812 wrote to memory of 2912	2812	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe	33
PID 2812 wrote to memory of 2912	2812	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe	33
PID 2812 wrote to memory of 2912	2812	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe	33
PID 2812 wrote to memory of 948	2812	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe	34
PID 2812 wrote to memory of 948	2812	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe	34
PID 2812 wrote to memory of 948	2812	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe	34
PID 2812 wrote to memory of 948	2812	{084646CC-C76D-4522-9B87-CCEE842F3056}.exe	34
PID 2912 wrote to memory of 2864	2912	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe	35
PID 2912 wrote to memory of 2864	2912	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe	35
PID 2912 wrote to memory of 2864	2912	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe	35
PID 2912 wrote to memory of 2864	2912	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe	35
PID 2912 wrote to memory of 1840	2912	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe	36
PID 2912 wrote to memory of 1840	2912	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe	36
PID 2912 wrote to memory of 1840	2912	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe	36
PID 2912 wrote to memory of 1840	2912	{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe	36
PID 2864 wrote to memory of 2312	2864	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe	37
PID 2864 wrote to memory of 2312	2864	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe	37
PID 2864 wrote to memory of 2312	2864	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe	37
PID 2864 wrote to memory of 2312	2864	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe	37
PID 2864 wrote to memory of 2408	2864	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe	38
PID 2864 wrote to memory of 2408	2864	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe	38
PID 2864 wrote to memory of 2408	2864	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe	38
PID 2864 wrote to memory of 2408	2864	{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe	38
PID 2312 wrote to memory of 2348	2312	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe	39
PID 2312 wrote to memory of 2348	2312	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe	39
PID 2312 wrote to memory of 2348	2312	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe	39
PID 2312 wrote to memory of 2348	2312	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe	39
PID 2312 wrote to memory of 2848	2312	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe	40
PID 2312 wrote to memory of 2848	2312	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe	40
PID 2312 wrote to memory of 2848	2312	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe	40
PID 2312 wrote to memory of 2848	2312	{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe	40
PID 2348 wrote to memory of 2860	2348	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe	41
PID 2348 wrote to memory of 2860	2348	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe	41
PID 2348 wrote to memory of 2860	2348	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe	41
PID 2348 wrote to memory of 2860	2348	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe	41
PID 2348 wrote to memory of 3020	2348	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe	42
PID 2348 wrote to memory of 3020	2348	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe	42
PID 2348 wrote to memory of 3020	2348	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe	42
PID 2348 wrote to memory of 3020	2348	{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe	42
PID 2860 wrote to memory of 2852	2860	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe	43
PID 2860 wrote to memory of 2852	2860	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe	43
PID 2860 wrote to memory of 2852	2860	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe	43
PID 2860 wrote to memory of 2852	2860	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe	43
PID 2860 wrote to memory of 2684	2860	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe	44
PID 2860 wrote to memory of 2684	2860	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe	44
PID 2860 wrote to memory of 2684	2860	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe	44
PID 2860 wrote to memory of 2684	2860	{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe	44

C:\Users\Admin\AppData\Local\Temp\b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
"C:\Users\Admin\AppData\Local\Temp\b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe
  C:\Windows\{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\{084646CC-C76D-4522-9B87-CCEE842F3056}.exe
    C:\Windows\{084646CC-C76D-4522-9B87-CCEE842F3056}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe
      C:\Windows\{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe
        
        C:\Windows\{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe
        
        C:\Windows\{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe
        
        C:\Windows\{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe
        
        C:\Windows\{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{89E75A94-2C48-4cc9-A8E2-C6A887B9FF6D}.exe
        
        C:\Windows\{89E75A94-2C48-4cc9-A8E2-C6A887B9FF6D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{675B4857-6051-42d8-B76C-3044E8EB11F4}.exe
        
        C:\Windows\{675B4857-6051-42d8-B76C-3044E8EB11F4}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\{992F23DC-DF63-4d87-8362-4F6D91A2978D}.exe
        
        C:\Windows\{992F23DC-DF63-4d87-8362-4F6D91A2978D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\{2CDD982E-2517-466e-AD31-B348EEAE5024}.exe
        
        C:\Windows\{2CDD982E-2517-466e-AD31-B348EEAE5024}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{992F2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{675B4~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89E75~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52FF4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF1DE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05B3C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B5DB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{383B5~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{08464~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C2024~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B50360~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05B3CB77-13E2-4983-8212-FBE4327F78E3}.exe

Filesize
90KB

MD5
2dbce366b7cabf4c49c2b56b0e90bd8b

SHA1
e656f0854a08339da7a4f63541b01a6622247dff

SHA256
0f6445f47b7928b1e4ab7d88e224878c0477e66a02c418eac7a2656704d7f968

SHA512
af8274469103bc296f79adafeca9efe6d97a6f5efed9cd733b3fbc63f731a1d041f129c6ef5eeb8c14d498e8d66baf5485b2a319d9b4e3c75c88113dae6550c7

Download Submit
C:\Windows\{084646CC-C76D-4522-9B87-CCEE842F3056}.exe

Filesize
90KB

MD5
d4748d1cccdb014768338f382ab63f52

SHA1
01cd409de30d4c5c5bc7f6ed54d2302db7c99f28

SHA256
3e6603f60fc8e5295fbb7f07616f02b91aa55ee9beb5663bd6f5b24dd489060e

SHA512
ea3a20a7b5dd336fa53072d74dded2d22587774b1c26a4f33497d993b3e940c4c82c1b9c94ae3d5643a905a498d7769ac46c3a319bd96af4435cd8ef4f50687c

Download Submit
C:\Windows\{2CDD982E-2517-466e-AD31-B348EEAE5024}.exe

Filesize
90KB

MD5
35bfd19e53383ab16f8c0f8126c2eb0c

SHA1
b8c23cc1283f23312c75053400c4dc21d7107874

SHA256
968846b768acea470fcce920fa66fa3d779cba7ff66425d15ee1f201406331c6

SHA512
68707597e240cae62ea90e1c354accb82c5c05bfe3e1207f6ff9156d3709b578cb2690669f8b51bb860efe306f0527687b5633beac7bf977fb223eb5042bd7a1

Download Submit
C:\Windows\{383B50B4-A52A-462b-89AA-77FC39EF7F4C}.exe

Filesize
90KB

MD5
1736593e27644314263ae32cf895b4d7

SHA1
909be5224520d8ec7092d6e2ba6d376afdb7c34b

SHA256
0d0de1a893815447a066b2e09d5269fdeba7a5be0cefec15d2712f6fe4423baf

SHA512
3b0c55b111928663795a7c0994077c0b9db4db888379ad091f1ae47f2b98d5a4aa2db900324834861295d45eb859b807acc070f0076bca7b7f985aa2ff810cc0

Download Submit
C:\Windows\{52FF4A34-1D80-43c7-95C2-BB83A416CA2C}.exe

Filesize
90KB

MD5
23b9ea87786019028f50420f97957a7f

SHA1
75ec57fa053136cd5a9c1c481469452fdb5f6d14

SHA256
4f57cbf4c481d3e5d69b73cbfd84a662215f318e941cb1501754b052566ce853

SHA512
a6ab0ebd1f9c5034391bac3acd9e27b6f3e8e41a917ab7c32d3aadd86974566fc2bf3647dd700ce0f86e098b5c6aa42d8b558c396a5b9a9ac60932c08d65adf8

Download Submit
C:\Windows\{5B5DB6C4-ED90-448a-A076-6797F5F01E71}.exe

Filesize
90KB

MD5
dba7a6154fb23c522e64d24b287d287e

SHA1
fdad922282c20dc12a605e50bf863c7e472980f7

SHA256
c37ec919a582115d2490cd69e5e7184a3e9e1eb2c199ec9eff53278932c276ca

SHA512
aa28928511796b64ca7782828c82b53f2af9b0cd9a92a42d2cb35c27c550b77f0e885810af979ec7988485f6f3441e530bd5d3bda504e52640d10d56822bcb69

Download Submit
C:\Windows\{675B4857-6051-42d8-B76C-3044E8EB11F4}.exe

Filesize
90KB

MD5
e66c4fc1dee24143f64d961d6e817a82

SHA1
402539b3ce3a5d102a069b37705410e94389916f

SHA256
1feddbc785a9c4f857eb9e68ef0d63bda6d0ebde02944251589daa8eaffba842

SHA512
6bb10df9f4ed11ad9f82dc50f6e1e3d22c75a3f63d14cedd9983d77139f86e3d613f82c95e2760b3b2b13ddf1b52d8a47c8a7de7408a912c01ac54d4bf02478a

Download Submit
C:\Windows\{89E75A94-2C48-4cc9-A8E2-C6A887B9FF6D}.exe

Filesize
90KB

MD5
e563214b9980ef3113c536451447e0ca

SHA1
cf212bef6ab81f3addffc259edef97eac5a22d9a

SHA256
ed431297d1877c9023b5419c7a9b29b96becfa2d556d15bff69c463580a2a67f

SHA512
1b5cd977c2ebdd7bd4b88628798f71437af13ec160b42ec0f17e822d558446cb8eb3dde7562674a694e9305075d6f43ce8bccbb18c5626bef89aab825f27466c

Download Submit
C:\Windows\{992F23DC-DF63-4d87-8362-4F6D91A2978D}.exe

Filesize
90KB

MD5
077e116bb56fb18ee80f115175f1d35a

SHA1
2a47a832c228ae0aa7ce7b80a161fd58957b33e7

SHA256
4cacbd1c59e74f8637db042121af62b2b0a3d1ede400e32c0b971868782e316a

SHA512
64dbc6a1087e8f83b083c4a1c4d43c7d7da64540d2731335acebe493ca1e6e60b5492b238b2e80ec1ae8aeb31371ffc26be5633364d13f6d34de59c2ed3fafed

Download Submit
C:\Windows\{C20246C7-BE10-4958-8985-3C305BBF32F5}.exe

Filesize
90KB

MD5
e656a61bd482c8b4b7819741e44b65fe

SHA1
54bcea59df371d7e16b46b9674008227ed019a32

SHA256
17a332eaedaf034a48209c3366d2be53b6b755bbbb24bd34b1103485672eacde

SHA512
6e036024854bc5ebba434de8a7f2c6f7cd4e95eeb405b38ece6e319f79b5629b86dd276f9aa034684c07fab89cce47720385eb19ff9ddba07b3c7b50f259a432

Download Submit
C:\Windows\{EF1DEB50-53F3-4664-9D2D-295C4DE58D6C}.exe

Filesize
90KB

MD5
a34e17f5761b32152302aef418a98900

SHA1
fda6644420455c350218146a93ec17f9c5b65f7e

SHA256
f813419f75948f86603be9c7ce6e35509f92ca69f9973ba15a96b37601f4223e

SHA512
326b12808f12d3a856accfa5261386ead5beff9fa08843d80bc9b6a97c8215ecc38e7f474a0a3d73ce92cd0ac79b8fa11fd026833464d555df745b0849c1aac0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads