Analysis
-
max time kernel
119s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 06:29
Static task
static1
Behavioral task
behavioral1
Sample
6749f3a6a433c31fb6ab65e598eb1d00N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6749f3a6a433c31fb6ab65e598eb1d00N.exe
Resource
win10v2004-20240802-en
General
-
Target
6749f3a6a433c31fb6ab65e598eb1d00N.exe
-
Size
64KB
-
MD5
6749f3a6a433c31fb6ab65e598eb1d00
-
SHA1
aea68d6871f0c95e3b9fbe611919f5b2b9293be7
-
SHA256
da9162c42d00d2c894c6ae45a8cda2e58fc694d1629da24aa8df76cd011264ee
-
SHA512
ae98904880d69526bd15b789fa82b63f86f506cd14c31638118fa39df4bcc80c953dac86e7a1debec73063f9fb91b74c6a1df52ec4e7575b5969fc933c0bdbbb
-
SSDEEP
192:ObOzawOs81elJHsc45ecRZOgtShcWaOT2QLrCqwERY04/CFxyNhoy5tF:ObLwOs8AHsc4QMfwhKQLroW4/CFsrdF
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6419613F-C821-4311-BC76-4D01FFD6F7EB}\stubpath = "C:\\Windows\\{6419613F-C821-4311-BC76-4D01FFD6F7EB}.exe" {D924E4F5-5050-470e-A671-60A9CE0B26DA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39116B05-A30E-4c51-98C5-4BA8C37219D7}\stubpath = "C:\\Windows\\{39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe" {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7F140D6-0D69-45d7-8459-0AFFA2AA8C52} {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{059BB384-5DDD-462a-BD49-A49E499125C2} {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{059BB384-5DDD-462a-BD49-A49E499125C2}\stubpath = "C:\\Windows\\{059BB384-5DDD-462a-BD49-A49E499125C2}.exe" {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C99617EB-6F7C-47ea-BECA-B0436DC31403} {059BB384-5DDD-462a-BD49-A49E499125C2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D} 6749f3a6a433c31fb6ab65e598eb1d00N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}\stubpath = "C:\\Windows\\{F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe" {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF6AAA2F-8A19-428a-B111-77150913BD9A} {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6419613F-C821-4311-BC76-4D01FFD6F7EB} {D924E4F5-5050-470e-A671-60A9CE0B26DA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7} {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C99617EB-6F7C-47ea-BECA-B0436DC31403}\stubpath = "C:\\Windows\\{C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe" {059BB384-5DDD-462a-BD49-A49E499125C2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF6AAA2F-8A19-428a-B111-77150913BD9A}\stubpath = "C:\\Windows\\{DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe" {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D924E4F5-5050-470e-A671-60A9CE0B26DA} {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D924E4F5-5050-470e-A671-60A9CE0B26DA}\stubpath = "C:\\Windows\\{D924E4F5-5050-470e-A671-60A9CE0B26DA}.exe" {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}\stubpath = "C:\\Windows\\{A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe" 6749f3a6a433c31fb6ab65e598eb1d00N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}\stubpath = "C:\\Windows\\{90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe" {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39116B05-A30E-4c51-98C5-4BA8C37219D7} {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe -
Deletes itself 1 IoCs
pid Process 2872 cmd.exe -
Executes dropped EXE 9 IoCs
pid Process 2788 {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe 2888 {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe 2640 {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe 1832 {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe 1312 {059BB384-5DDD-462a-BD49-A49E499125C2}.exe 2632 {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe 1216 {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe 2012 {D924E4F5-5050-470e-A671-60A9CE0B26DA}.exe 2192 {6419613F-C821-4311-BC76-4D01FFD6F7EB}.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\{A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe 6749f3a6a433c31fb6ab65e598eb1d00N.exe File created C:\Windows\{39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe File created C:\Windows\{D924E4F5-5050-470e-A671-60A9CE0B26DA}.exe {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe File created C:\Windows\{6419613F-C821-4311-BC76-4D01FFD6F7EB}.exe {D924E4F5-5050-470e-A671-60A9CE0B26DA}.exe File created C:\Windows\{90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe File created C:\Windows\{F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe File created C:\Windows\{059BB384-5DDD-462a-BD49-A49E499125C2}.exe {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe File created C:\Windows\{C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe {059BB384-5DDD-462a-BD49-A49E499125C2}.exe File created C:\Windows\{DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6749f3a6a433c31fb6ab65e598eb1d00N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {D924E4F5-5050-470e-A671-60A9CE0B26DA}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {059BB384-5DDD-462a-BD49-A49E499125C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {6419613F-C821-4311-BC76-4D01FFD6F7EB}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 708 6749f3a6a433c31fb6ab65e598eb1d00N.exe Token: SeIncBasePriorityPrivilege 2788 {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe Token: SeIncBasePriorityPrivilege 2888 {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe Token: SeIncBasePriorityPrivilege 2640 {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe Token: SeIncBasePriorityPrivilege 1832 {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe Token: SeIncBasePriorityPrivilege 1312 {059BB384-5DDD-462a-BD49-A49E499125C2}.exe Token: SeIncBasePriorityPrivilege 2632 {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe Token: SeIncBasePriorityPrivilege 1216 {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe Token: SeIncBasePriorityPrivilege 2012 {D924E4F5-5050-470e-A671-60A9CE0B26DA}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 708 wrote to memory of 2788 708 6749f3a6a433c31fb6ab65e598eb1d00N.exe 29 PID 708 wrote to memory of 2788 708 6749f3a6a433c31fb6ab65e598eb1d00N.exe 29 PID 708 wrote to memory of 2788 708 6749f3a6a433c31fb6ab65e598eb1d00N.exe 29 PID 708 wrote to memory of 2788 708 6749f3a6a433c31fb6ab65e598eb1d00N.exe 29 PID 708 wrote to memory of 2872 708 6749f3a6a433c31fb6ab65e598eb1d00N.exe 30 PID 708 wrote to memory of 2872 708 6749f3a6a433c31fb6ab65e598eb1d00N.exe 30 PID 708 wrote to memory of 2872 708 6749f3a6a433c31fb6ab65e598eb1d00N.exe 30 PID 708 wrote to memory of 2872 708 6749f3a6a433c31fb6ab65e598eb1d00N.exe 30 PID 2788 wrote to memory of 2888 2788 {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe 31 PID 2788 wrote to memory of 2888 2788 {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe 31 PID 2788 wrote to memory of 2888 2788 {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe 31 PID 2788 wrote to memory of 2888 2788 {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe 31 PID 2788 wrote to memory of 2900 2788 {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe 32 PID 2788 wrote to memory of 2900 2788 {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe 32 PID 2788 wrote to memory of 2900 2788 {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe 32 PID 2788 wrote to memory of 2900 2788 {A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe 32 PID 2888 wrote to memory of 2640 2888 {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe 33 PID 2888 wrote to memory of 2640 2888 {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe 33 PID 2888 wrote to memory of 2640 2888 {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe 33 PID 2888 wrote to memory of 2640 2888 {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe 33 PID 2888 wrote to memory of 2716 2888 {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe 34 PID 2888 wrote to memory of 2716 2888 {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe 34 PID 2888 wrote to memory of 2716 2888 {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe 34 PID 2888 wrote to memory of 2716 2888 {90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe 34 PID 2640 wrote to memory of 1832 2640 {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe 35 PID 2640 wrote to memory of 1832 2640 {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe 35 PID 2640 wrote to memory of 1832 2640 {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe 35 PID 2640 wrote to memory of 1832 2640 {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe 35 PID 2640 wrote to memory of 2940 2640 {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe 36 PID 2640 wrote to memory of 2940 2640 {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe 36 PID 2640 wrote to memory of 2940 2640 {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe 36 PID 2640 wrote to memory of 2940 2640 {39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe 36 PID 1832 wrote to memory of 1312 1832 {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe 37 PID 1832 wrote to memory of 1312 1832 {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe 37 PID 1832 wrote to memory of 1312 1832 {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe 37 PID 1832 wrote to memory of 1312 1832 {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe 37 PID 1832 wrote to memory of 3032 1832 {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe 38 PID 1832 wrote to memory of 3032 1832 {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe 38 PID 1832 wrote to memory of 3032 1832 {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe 38 PID 1832 wrote to memory of 3032 1832 {F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe 38 PID 1312 wrote to memory of 2632 1312 {059BB384-5DDD-462a-BD49-A49E499125C2}.exe 39 PID 1312 wrote to memory of 2632 1312 {059BB384-5DDD-462a-BD49-A49E499125C2}.exe 39 PID 1312 wrote to memory of 2632 1312 {059BB384-5DDD-462a-BD49-A49E499125C2}.exe 39 PID 1312 wrote to memory of 2632 1312 {059BB384-5DDD-462a-BD49-A49E499125C2}.exe 39 PID 1312 wrote to memory of 2820 1312 {059BB384-5DDD-462a-BD49-A49E499125C2}.exe 40 PID 1312 wrote to memory of 2820 1312 {059BB384-5DDD-462a-BD49-A49E499125C2}.exe 40 PID 1312 wrote to memory of 2820 1312 {059BB384-5DDD-462a-BD49-A49E499125C2}.exe 40 PID 1312 wrote to memory of 2820 1312 {059BB384-5DDD-462a-BD49-A49E499125C2}.exe 40 PID 2632 wrote to memory of 1216 2632 {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe 41 PID 2632 wrote to memory of 1216 2632 {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe 41 PID 2632 wrote to memory of 1216 2632 {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe 41 PID 2632 wrote to memory of 1216 2632 {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe 41 PID 2632 wrote to memory of 2136 2632 {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe 42 PID 2632 wrote to memory of 2136 2632 {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe 42 PID 2632 wrote to memory of 2136 2632 {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe 42 PID 2632 wrote to memory of 2136 2632 {C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe 42 PID 1216 wrote to memory of 2012 1216 {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe 43 PID 1216 wrote to memory of 2012 1216 {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe 43 PID 1216 wrote to memory of 2012 1216 {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe 43 PID 1216 wrote to memory of 2012 1216 {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe 43 PID 1216 wrote to memory of 1684 1216 {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe 44 PID 1216 wrote to memory of 1684 1216 {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe 44 PID 1216 wrote to memory of 1684 1216 {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe 44 PID 1216 wrote to memory of 1684 1216 {DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\6749f3a6a433c31fb6ab65e598eb1d00N.exe"C:\Users\Admin\AppData\Local\Temp\6749f3a6a433c31fb6ab65e598eb1d00N.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\{A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exeC:\Windows\{A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\{90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exeC:\Windows\{90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\{39116B05-A30E-4c51-98C5-4BA8C37219D7}.exeC:\Windows\{39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\{F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exeC:\Windows\{F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\{059BB384-5DDD-462a-BD49-A49E499125C2}.exeC:\Windows\{059BB384-5DDD-462a-BD49-A49E499125C2}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\{C99617EB-6F7C-47ea-BECA-B0436DC31403}.exeC:\Windows\{C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\{DF6AAA2F-8A19-428a-B111-77150913BD9A}.exeC:\Windows\{DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\{D924E4F5-5050-470e-A671-60A9CE0B26DA}.exeC:\Windows\{D924E4F5-5050-470e-A671-60A9CE0B26DA}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\{6419613F-C821-4311-BC76-4D01FFD6F7EB}.exeC:\Windows\{6419613F-C821-4311-BC76-4D01FFD6F7EB}.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D924E~1.EXE > nul10⤵
- System Location Discovery: System Language Discovery
PID:2248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DF6AA~1.EXE > nul9⤵
- System Location Discovery: System Language Discovery
PID:1684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C9961~1.EXE > nul8⤵
- System Location Discovery: System Language Discovery
PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{059BB~1.EXE > nul7⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F7F14~1.EXE > nul6⤵
- System Location Discovery: System Language Discovery
PID:3032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{39116~1.EXE > nul5⤵
- System Location Discovery: System Language Discovery
PID:2940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{90B40~1.EXE > nul4⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A0E1E~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:2900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6749F3~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD522a1a255bae27a323c0ef8ba8c36f093
SHA10f95b729c5dae5045997e361f6f025075dc11b03
SHA256427ac308f4b32fccca7288329f14b3facce1b39edc73c790ea676a2efbc990b6
SHA5120247135892f13064c312e91e9530fa4bef4bc97f7c16c5b94c77f75869f75475d2d6a5b69bdcbfd70608da4fc82bf36a1ca333d6b151cdfb0a0986f50ec31402
-
Filesize
64KB
MD5168a027a22405ed3cab8ec3a03d2100c
SHA1e4ed9c5baec1b0bf4122d283a965829b6a998e67
SHA25600d4318556f25c1b3985623b74d167c4b61b7741705178a6a0a4ff88de38bcef
SHA512d6b211bcb150a598508998306ec5dd84bbaa68b54fa8e9c3890573669990a9bb99d6e6b4f441811cfeca13a84cde29431916bfa4039887f8170f6111a5a7d6c1
-
Filesize
64KB
MD5982c04d3fcaedbd0e126d9aa8498c9f7
SHA167888dbd6d9e26ff6b01f2d9ee253aa5ab75c94c
SHA25636556b49606b60419061ef42042b7ace119d8e2a28ccffd5313f5635a9f210c3
SHA512eb681189b318df0819e94d1c7dc4768c5bed2fc6ffdc2f829a86f65ba3d53cd4b71ca8672856e869f161bb3514faf508d00e4025dc20d1bee13a4fa72a6a6d47
-
Filesize
64KB
MD57ac53b417bc0d88a81ce14cfdae36d54
SHA1e1e9a4889cf69dc31861a4721eca30e7339663aa
SHA25651ecf207eea96b6e43e3e9be883158cbc09244eb0dd70296571a81875519ec47
SHA512eaae01cf59bbe001199f596a4cccb27cdec4f22b5668688b57a8ccff1dbdc0d785e47fffe7a5f09a3c23dcdd3b49b191970e3e49542edf8956f7be2aa59e9e46
-
Filesize
64KB
MD5b04f017bb3bec1985f885b40b32f71b4
SHA1ae0cac152205d049e944446971bc22dcfeb80e0d
SHA256882469c4b700015de653abb8657334ea737353e4423edba71ee76efd42f0cd0c
SHA512c6415d7458d77b31d637f4f320878a3355364991d4a1a0ca395956d9b81662ad28a58e8037ba8f104fb6d9561a839eecccfa37a0e61cfb184f8d30710212c7de
-
Filesize
64KB
MD53325e4540565b23a0b214ce954bc5493
SHA1ddb50f77d21167084f6f38767bffa405beaef9c6
SHA2561be696df7b817a410096585a1d95164b5f04ddd2ddee9dfac66ea0f83f88cb06
SHA512d791316325b17354adaa93e3fa01393456e1f7cb71f32ff1bc6cbe0a550fd77b78c3123d83ae5af4d7bf6eed8a3ddfb521fce28638dfc087bc5e332d945c55c0
-
Filesize
64KB
MD5590c5dae234d58e7cb7e95ff7326920c
SHA1dbd608642541cec1e84006f9ef63b527819df0f4
SHA2561dbf63ce043c55e662eefdcfd022dc93b4102ed779ed0da2d72cb943f2bdd96a
SHA5128229e2a288e5f66ec01e5f496cfcdcb5922984f97a5e32a221c78f814d0e98159e8d6e9bea81605ec7bba9f8c1289ffaefc8b6585204e800936173bcacf4ee10
-
Filesize
64KB
MD59bdb2bab42d36fa3b127e3fa851b9601
SHA10fea5ab49b2ea8fe4711ad21d5552941b2db0646
SHA2568f68800ce84ed36cca5a1c8414ea56c709ccd4fc09619cb0e3268855c06fbb15
SHA51220aa3d8dc2a81452dc4137c6de8a0771be58d3029f939c148f5581358ef24145c37df232b8c9d6b833ea18926f00d456d3f0fb5fbd795069407eac7cbec2f95a
-
Filesize
64KB
MD552e2b5527151781902c5e42d53359a97
SHA18d9afd5d6dab487c4dc55a825debddaed6cfaebb
SHA256d243c662d56eac948b14d217b4758d2a3eb7f88793e71d081f805b9d59910f45
SHA512800d99d9ea091bc6e72155d99c94a2d229972e5635c8d4b054c63493ee088a67327850c945819b5542b5b0bc564ab8f89ffc3603adae697e0854f886a3019892