28af2f5501c2bf4e519cc842f489a7b17d6485802f703fd0b766d1286b890bda

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4f2a3b2a4e76c63128d4e037b644a90N.exe
Size

89KB
MD5

c4f2a3b2a4e76c63128d4e037b644a90
SHA1

0719b5f49d5ffee69e24d9531421e14ff04bc09b
SHA256

28af2f5501c2bf4e519cc842f489a7b17d6485802f703fd0b766d1286b890bda
SHA512

b712379b8460f3347cbda052421f8eb07e82c3914cb52f11c69449f1dddd8d54167f12f3b0d0161149dd7bbe36c770f288878b0d14f4f17a70b1391e2996c56b
SSDEEP

768:Qvw9816vhKQLrov4/wQRNrfrunMxVFA3b7gl:YEGh0ovl2unMxVS3Hg

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EFDFE15-6857-44c8-BD96-B9F52B28A081}\stubpath = "C:\\Windows\\{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe"	c4f2a3b2a4e76c63128d4e037b644a90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10C9140D-4932-4732-AED7-046BCC48FD70}	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C33A7D3-2716-41df-8C60-2D6A118DDA82}\stubpath = "C:\\Windows\\{8C33A7D3-2716-41df-8C60-2D6A118DDA82}.exe"	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07D90887-6F4E-4a00-9DF2-3A9076C27512}\stubpath = "C:\\Windows\\{07D90887-6F4E-4a00-9DF2-3A9076C27512}.exe"	{8C33A7D3-2716-41df-8C60-2D6A118DDA82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}\stubpath = "C:\\Windows\\{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe"	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B371949-8382-430e-9CB3-9A4AEA32DDCC}	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B371949-8382-430e-9CB3-9A4AEA32DDCC}\stubpath = "C:\\Windows\\{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe"	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EFDFE15-6857-44c8-BD96-B9F52B28A081}	c4f2a3b2a4e76c63128d4e037b644a90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}\stubpath = "C:\\Windows\\{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe"	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07D90887-6F4E-4a00-9DF2-3A9076C27512}	{8C33A7D3-2716-41df-8C60-2D6A118DDA82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}\stubpath = "C:\\Windows\\{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe"	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}\stubpath = "C:\\Windows\\{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe"	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10C9140D-4932-4732-AED7-046BCC48FD70}\stubpath = "C:\\Windows\\{10C9140D-4932-4732-AED7-046BCC48FD70}.exe"	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C33A7D3-2716-41df-8C60-2D6A118DDA82}	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2292	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe
2784	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe
2476	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe
2836	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe
2404	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe
976	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe
2736	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe
2956	{8C33A7D3-2716-41df-8C60-2D6A118DDA82}.exe
2360	{07D90887-6F4E-4a00-9DF2-3A9076C27512}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{8C33A7D3-2716-41df-8C60-2D6A118DDA82}.exe	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe
File created	C:\Windows\{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe
File created	C:\Windows\{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe
File created	C:\Windows\{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe
File created	C:\Windows\{10C9140D-4932-4732-AED7-046BCC48FD70}.exe	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe
File created	C:\Windows\{07D90887-6F4E-4a00-9DF2-3A9076C27512}.exe	{8C33A7D3-2716-41df-8C60-2D6A118DDA82}.exe
File created	C:\Windows\{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe	c4f2a3b2a4e76c63128d4e037b644a90N.exe
File created	C:\Windows\{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe
File created	C:\Windows\{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C33A7D3-2716-41df-8C60-2D6A118DDA82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07D90887-6F4E-4a00-9DF2-3A9076C27512}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4f2a3b2a4e76c63128d4e037b644a90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1172	c4f2a3b2a4e76c63128d4e037b644a90N.exe
Token: SeIncBasePriorityPrivilege	2292	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe
Token: SeIncBasePriorityPrivilege	2784	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe
Token: SeIncBasePriorityPrivilege	2476	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe
Token: SeIncBasePriorityPrivilege	2836	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe
Token: SeIncBasePriorityPrivilege	2404	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe
Token: SeIncBasePriorityPrivilege	976	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe
Token: SeIncBasePriorityPrivilege	2736	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe
Token: SeIncBasePriorityPrivilege	2956	{8C33A7D3-2716-41df-8C60-2D6A118DDA82}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2292	1172	c4f2a3b2a4e76c63128d4e037b644a90N.exe	31
PID 1172 wrote to memory of 2292	1172	c4f2a3b2a4e76c63128d4e037b644a90N.exe	31
PID 1172 wrote to memory of 2292	1172	c4f2a3b2a4e76c63128d4e037b644a90N.exe	31
PID 1172 wrote to memory of 2292	1172	c4f2a3b2a4e76c63128d4e037b644a90N.exe	31
PID 1172 wrote to memory of 2036	1172	c4f2a3b2a4e76c63128d4e037b644a90N.exe	32
PID 1172 wrote to memory of 2036	1172	c4f2a3b2a4e76c63128d4e037b644a90N.exe	32
PID 1172 wrote to memory of 2036	1172	c4f2a3b2a4e76c63128d4e037b644a90N.exe	32
PID 1172 wrote to memory of 2036	1172	c4f2a3b2a4e76c63128d4e037b644a90N.exe	32
PID 2292 wrote to memory of 2784	2292	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe	33
PID 2292 wrote to memory of 2784	2292	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe	33
PID 2292 wrote to memory of 2784	2292	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe	33
PID 2292 wrote to memory of 2784	2292	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe	33
PID 2292 wrote to memory of 2864	2292	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe	34
PID 2292 wrote to memory of 2864	2292	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe	34
PID 2292 wrote to memory of 2864	2292	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe	34
PID 2292 wrote to memory of 2864	2292	{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe	34
PID 2784 wrote to memory of 2476	2784	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe	35
PID 2784 wrote to memory of 2476	2784	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe	35
PID 2784 wrote to memory of 2476	2784	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe	35
PID 2784 wrote to memory of 2476	2784	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe	35
PID 2784 wrote to memory of 2748	2784	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe	36
PID 2784 wrote to memory of 2748	2784	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe	36
PID 2784 wrote to memory of 2748	2784	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe	36
PID 2784 wrote to memory of 2748	2784	{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe	36
PID 2476 wrote to memory of 2836	2476	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe	37
PID 2476 wrote to memory of 2836	2476	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe	37
PID 2476 wrote to memory of 2836	2476	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe	37
PID 2476 wrote to memory of 2836	2476	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe	37
PID 2476 wrote to memory of 2564	2476	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe	38
PID 2476 wrote to memory of 2564	2476	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe	38
PID 2476 wrote to memory of 2564	2476	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe	38
PID 2476 wrote to memory of 2564	2476	{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe	38
PID 2836 wrote to memory of 2404	2836	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe	39
PID 2836 wrote to memory of 2404	2836	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe	39
PID 2836 wrote to memory of 2404	2836	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe	39
PID 2836 wrote to memory of 2404	2836	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe	39
PID 2836 wrote to memory of 1488	2836	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe	40
PID 2836 wrote to memory of 1488	2836	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe	40
PID 2836 wrote to memory of 1488	2836	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe	40
PID 2836 wrote to memory of 1488	2836	{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe	40
PID 2404 wrote to memory of 976	2404	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe	41
PID 2404 wrote to memory of 976	2404	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe	41
PID 2404 wrote to memory of 976	2404	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe	41
PID 2404 wrote to memory of 976	2404	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe	41
PID 2404 wrote to memory of 1612	2404	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe	42
PID 2404 wrote to memory of 1612	2404	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe	42
PID 2404 wrote to memory of 1612	2404	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe	42
PID 2404 wrote to memory of 1612	2404	{10C9140D-4932-4732-AED7-046BCC48FD70}.exe	42
PID 976 wrote to memory of 2736	976	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe	43
PID 976 wrote to memory of 2736	976	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe	43
PID 976 wrote to memory of 2736	976	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe	43
PID 976 wrote to memory of 2736	976	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe	43
PID 976 wrote to memory of 1764	976	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe	44
PID 976 wrote to memory of 1764	976	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe	44
PID 976 wrote to memory of 1764	976	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe	44
PID 976 wrote to memory of 1764	976	{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe	44
PID 2736 wrote to memory of 2956	2736	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe	46
PID 2736 wrote to memory of 2956	2736	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe	46
PID 2736 wrote to memory of 2956	2736	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe	46
PID 2736 wrote to memory of 2956	2736	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe	46
PID 2736 wrote to memory of 2896	2736	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe	47
PID 2736 wrote to memory of 2896	2736	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe	47
PID 2736 wrote to memory of 2896	2736	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe	47
PID 2736 wrote to memory of 2896	2736	{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe	47

C:\Users\Admin\AppData\Local\Temp\c4f2a3b2a4e76c63128d4e037b644a90N.exe
"C:\Users\Admin\AppData\Local\Temp\c4f2a3b2a4e76c63128d4e037b644a90N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe
  C:\Windows\{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe
    C:\Windows\{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe
      C:\Windows\{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe
        
        C:\Windows\{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\{10C9140D-4932-4732-AED7-046BCC48FD70}.exe
        
        C:\Windows\{10C9140D-4932-4732-AED7-046BCC48FD70}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe
        
        C:\Windows\{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe
        
        C:\Windows\{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{8C33A7D3-2716-41df-8C60-2D6A118DDA82}.exe
        
        C:\Windows\{8C33A7D3-2716-41df-8C60-2D6A118DDA82}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\{07D90887-6F4E-4a00-9DF2-3A9076C27512}.exe
        
        C:\Windows\{07D90887-6F4E-4a00-9DF2-3A9076C27512}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C33A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B371~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A991~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10C91~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE25D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3D60~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{70C0A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6EFDF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C4F2A3~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07D90887-6F4E-4a00-9DF2-3A9076C27512}.exe

Filesize
89KB

MD5
49873cb362398bb54c3f59d80aa3f130

SHA1
23532894bf047acde926e1ea1de1097e3fb8f776

SHA256
47065d7463dcd83c6aa7a10795070c057cdd9e427721609acfe7c3cf96bc63c8

SHA512
6c753106d2809c833e71ebd56c2c075ad96a576f9c435bfff3848e17e1ff4fac4166c1875dd3b8c5864c059b5a4566c1662d51a2cea4543667097dacab8a8879

Download Submit
C:\Windows\{10C9140D-4932-4732-AED7-046BCC48FD70}.exe

Filesize
89KB

MD5
dde8b8a633dd4d046221104a7431fdc0

SHA1
539a6575f5ee8fcc95657c59afd3ded7ca27389c

SHA256
b09351851e558f04b3709f76d735b1518ae1949d48c01cd4f4d5dce1ef0862ae

SHA512
b14ee5e013692bbbee87c109b396683f21c298f909fdb2b6c3084a687b318ffb97be33981b6730b75f89feb12135a789773438cb2ec11e99f905ffa55519ca35

Download Submit
C:\Windows\{6B371949-8382-430e-9CB3-9A4AEA32DDCC}.exe

Filesize
89KB

MD5
9ca033c3ee772db10b087cafd0ba32af

SHA1
ad69ab1db9a3ff95f431d954eed4ff0c01f71b71

SHA256
fec8719b724e7c899eef92974b724ec8a3c9f44faee020d8428aa8b6b556f35a

SHA512
17d1436f27e1c2502337aa2bb1c02376f57b547e60cf1ead41f11240a17027c874d597755e7f90d1d62a56a95efd4f854585a8d9af01bd56041a999ea38e926f

Download Submit
C:\Windows\{6EFDFE15-6857-44c8-BD96-B9F52B28A081}.exe

Filesize
89KB

MD5
069e6cb630d1ee2d017c2c6d7a5abe39

SHA1
9f29d9db84155a248015fb8d6dfee823a10ee6fe

SHA256
f6e94f2ad0903cfc4a45c6e2bde1dd9720cb77786d7bfc3b87f96a0b4a515e54

SHA512
95e48a97a4349b211bc09d20d320b302df1eebf9406fe577609cd541e81d501c9e96bc7b79feb443f98d8aca7ff0d719a2e37c8fb2adf6d28e25ad712de05380

Download Submit
C:\Windows\{70C0A0DF-5967-43c6-8C6F-02E85E4F3E92}.exe

Filesize
89KB

MD5
082b39e670ac0b32b27100a307afcebc

SHA1
5038cf21ca7f660fd075eafbd022005aa202b812

SHA256
bc314aa5bc9cdc255f3c4ac3035b5e629b3d7040f8ed41d4bd1be0ff4daeb6c6

SHA512
48125f7d2dc420277c0c4d2019e63cd4b12d7e6a511b18435320f915b50454fc8a22a29961284aa3cb60ac6de6c587d7f966182deb31b08aa7a0c9be472b0ad6

Download Submit
C:\Windows\{8A991093-DAA8-41e5-BCF3-1890B4E73C3C}.exe

Filesize
89KB

MD5
37b66dcd3a8829302c1248946b4e2424

SHA1
0138045b8ef904657ee7cb777e31413c2e64cfd7

SHA256
8ce9920eb20f642c5dd3cd2cba756f7f2f8f72dad89592358aaa7c9a5aafacad

SHA512
b4c9d8944bb2f4165fd0b1992bc6d17cc8cd6d1455963836eca91bc0ed0d3080097fb334a947818c0e1779eaeecd4a58e06c99d7b5ce7fcc4339a722874a2b11

Download Submit
C:\Windows\{8C33A7D3-2716-41df-8C60-2D6A118DDA82}.exe

Filesize
89KB

MD5
1c2bc04349fca43e32ae90a466f7866e

SHA1
1812040ae83a4af677eb14dfd0e83fdfb90f7d17

SHA256
d13b59d248a7ebfe7b3ec481e6173cc66c87d47370ac3f37bf59a698134dc365

SHA512
5e727b179c1d45a4c87897f4a214873315fc2560a890a21371a5cdf1ced92bdfb28ca95806b1e27d6543ab406e82bee2fc690d71e39077d6e66018dc3c0b51fa

Download Submit
C:\Windows\{EE25DAD9-5856-4e8b-BB02-E6D57F7667EB}.exe

Filesize
89KB

MD5
6e8d38ea5298e1c255417effc221cd8b

SHA1
74b100f923bd5f8aa6154392a84b3f9f590a41bd

SHA256
474e877e2982eb104f588df2ba373e3521440a55177c6c2089efd933faf0d566

SHA512
917a8446e9ffaaf3071fb09f272adbb617ad8d8b01072acbe67b300cbc822db15f19cdd31b9155c36b368b48652f1184bec750188757c3bba244ebd6cd7311c4

Download Submit
C:\Windows\{F3D60F8B-8E7F-40fb-8672-1FF5CB9CD95E}.exe

Filesize
89KB

MD5
fb31aa21157ef924efcf498ca5ecbf56

SHA1
903c6d0d4ebd963c86bf623bf0846f86db1c8166

SHA256
2de11dbf133d96b333478de322d3f047ac091827a5139855130207936626ca15

SHA512
29673deaf397cd7e84dc03ace8e2b7492ed9d95a70f7592aa84535a57271783027e9870b8617aeed2941f37fd3680cfe09c02427a9ad4258ed24edfc83084a4f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads