654289647bb122e15c3a8ed16274169109be4077d9b630662ad998203280051a

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b44797f9ba623cccbe5041c9dd0fb40N.exe
Size

91KB
MD5

4b44797f9ba623cccbe5041c9dd0fb40
SHA1

5e1a8d221a6c69e2a6491739332f8808acd28a38
SHA256

654289647bb122e15c3a8ed16274169109be4077d9b630662ad998203280051a
SHA512

39fc02e4ec7669cfd2a2fa9237e18a85036b94fd2f7051f196c9330dda2f40bb353d90bc53046467784b99b39055efd9ece274b926c1053c4b2fe8adb68c9619
SSDEEP

768:5vw9816uhKiroK4/wQNNrfrunMxVFA3b7t:lEGkmoKlCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}\stubpath = "C:\\Windows\\{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe"	4b44797f9ba623cccbe5041c9dd0fb40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B405CF16-F2E6-44dd-8A93-828A1D765826}	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{356CC5F9-EDB5-419d-97E0-3B129F8E071C}	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F0013FB-C9B2-4d5e-BC3C-DA688AF83181}	{356CC5F9-EDB5-419d-97E0-3B129F8E071C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F0013FB-C9B2-4d5e-BC3C-DA688AF83181}\stubpath = "C:\\Windows\\{3F0013FB-C9B2-4d5e-BC3C-DA688AF83181}.exe"	{356CC5F9-EDB5-419d-97E0-3B129F8E071C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}\stubpath = "C:\\Windows\\{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe"	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}\stubpath = "C:\\Windows\\{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe"	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}\stubpath = "C:\\Windows\\{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe"	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}	4b44797f9ba623cccbe5041c9dd0fb40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00674C7C-1C96-4427-BAFF-117A576E44B1}	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00674C7C-1C96-4427-BAFF-117A576E44B1}\stubpath = "C:\\Windows\\{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe"	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{356CC5F9-EDB5-419d-97E0-3B129F8E071C}\stubpath = "C:\\Windows\\{356CC5F9-EDB5-419d-97E0-3B129F8E071C}.exe"	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B405CF16-F2E6-44dd-8A93-828A1D765826}\stubpath = "C:\\Windows\\{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe"	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}\stubpath = "C:\\Windows\\{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe"	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2812	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe
888	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe
3000	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe
2204	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe
828	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe
1424	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe
2004	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe
2344	{356CC5F9-EDB5-419d-97E0-3B129F8E071C}.exe
2424	{3F0013FB-C9B2-4d5e-BC3C-DA688AF83181}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe	4b44797f9ba623cccbe5041c9dd0fb40N.exe
File created	C:\Windows\{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe
File created	C:\Windows\{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe
File created	C:\Windows\{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe
File created	C:\Windows\{356CC5F9-EDB5-419d-97E0-3B129F8E071C}.exe	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe
File created	C:\Windows\{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe
File created	C:\Windows\{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe
File created	C:\Windows\{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe
File created	C:\Windows\{3F0013FB-C9B2-4d5e-BC3C-DA688AF83181}.exe	{356CC5F9-EDB5-419d-97E0-3B129F8E071C}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{356CC5F9-EDB5-419d-97E0-3B129F8E071C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F0013FB-C9B2-4d5e-BC3C-DA688AF83181}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b44797f9ba623cccbe5041c9dd0fb40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2644	4b44797f9ba623cccbe5041c9dd0fb40N.exe
Token: SeIncBasePriorityPrivilege	2812	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe
Token: SeIncBasePriorityPrivilege	888	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe
Token: SeIncBasePriorityPrivilege	3000	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe
Token: SeIncBasePriorityPrivilege	2204	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe
Token: SeIncBasePriorityPrivilege	828	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe
Token: SeIncBasePriorityPrivilege	1424	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe
Token: SeIncBasePriorityPrivilege	2004	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe
Token: SeIncBasePriorityPrivilege	2344	{356CC5F9-EDB5-419d-97E0-3B129F8E071C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2812	2644	4b44797f9ba623cccbe5041c9dd0fb40N.exe	30
PID 2644 wrote to memory of 2812	2644	4b44797f9ba623cccbe5041c9dd0fb40N.exe	30
PID 2644 wrote to memory of 2812	2644	4b44797f9ba623cccbe5041c9dd0fb40N.exe	30
PID 2644 wrote to memory of 2812	2644	4b44797f9ba623cccbe5041c9dd0fb40N.exe	30
PID 2644 wrote to memory of 2680	2644	4b44797f9ba623cccbe5041c9dd0fb40N.exe	31
PID 2644 wrote to memory of 2680	2644	4b44797f9ba623cccbe5041c9dd0fb40N.exe	31
PID 2644 wrote to memory of 2680	2644	4b44797f9ba623cccbe5041c9dd0fb40N.exe	31
PID 2644 wrote to memory of 2680	2644	4b44797f9ba623cccbe5041c9dd0fb40N.exe	31
PID 2812 wrote to memory of 888	2812	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe	32
PID 2812 wrote to memory of 888	2812	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe	32
PID 2812 wrote to memory of 888	2812	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe	32
PID 2812 wrote to memory of 888	2812	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe	32
PID 2812 wrote to memory of 1312	2812	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe	33
PID 2812 wrote to memory of 1312	2812	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe	33
PID 2812 wrote to memory of 1312	2812	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe	33
PID 2812 wrote to memory of 1312	2812	{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe	33
PID 888 wrote to memory of 3000	888	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe	34
PID 888 wrote to memory of 3000	888	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe	34
PID 888 wrote to memory of 3000	888	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe	34
PID 888 wrote to memory of 3000	888	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe	34
PID 888 wrote to memory of 2720	888	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe	35
PID 888 wrote to memory of 2720	888	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe	35
PID 888 wrote to memory of 2720	888	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe	35
PID 888 wrote to memory of 2720	888	{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe	35
PID 3000 wrote to memory of 2204	3000	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe	36
PID 3000 wrote to memory of 2204	3000	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe	36
PID 3000 wrote to memory of 2204	3000	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe	36
PID 3000 wrote to memory of 2204	3000	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe	36
PID 3000 wrote to memory of 2360	3000	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe	37
PID 3000 wrote to memory of 2360	3000	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe	37
PID 3000 wrote to memory of 2360	3000	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe	37
PID 3000 wrote to memory of 2360	3000	{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe	37
PID 2204 wrote to memory of 828	2204	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe	38
PID 2204 wrote to memory of 828	2204	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe	38
PID 2204 wrote to memory of 828	2204	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe	38
PID 2204 wrote to memory of 828	2204	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe	38
PID 2204 wrote to memory of 344	2204	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe	39
PID 2204 wrote to memory of 344	2204	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe	39
PID 2204 wrote to memory of 344	2204	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe	39
PID 2204 wrote to memory of 344	2204	{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe	39
PID 828 wrote to memory of 1424	828	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe	40
PID 828 wrote to memory of 1424	828	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe	40
PID 828 wrote to memory of 1424	828	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe	40
PID 828 wrote to memory of 1424	828	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe	40
PID 828 wrote to memory of 1484	828	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe	41
PID 828 wrote to memory of 1484	828	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe	41
PID 828 wrote to memory of 1484	828	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe	41
PID 828 wrote to memory of 1484	828	{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe	41
PID 1424 wrote to memory of 2004	1424	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe	42
PID 1424 wrote to memory of 2004	1424	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe	42
PID 1424 wrote to memory of 2004	1424	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe	42
PID 1424 wrote to memory of 2004	1424	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe	42
PID 1424 wrote to memory of 1112	1424	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe	43
PID 1424 wrote to memory of 1112	1424	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe	43
PID 1424 wrote to memory of 1112	1424	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe	43
PID 1424 wrote to memory of 1112	1424	{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe	43
PID 2004 wrote to memory of 2344	2004	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe	45
PID 2004 wrote to memory of 2344	2004	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe	45
PID 2004 wrote to memory of 2344	2004	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe	45
PID 2004 wrote to memory of 2344	2004	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe	45
PID 2004 wrote to memory of 2176	2004	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe	46
PID 2004 wrote to memory of 2176	2004	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe	46
PID 2004 wrote to memory of 2176	2004	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe	46
PID 2004 wrote to memory of 2176	2004	{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe	46

C:\Users\Admin\AppData\Local\Temp\4b44797f9ba623cccbe5041c9dd0fb40N.exe
"C:\Users\Admin\AppData\Local\Temp\4b44797f9ba623cccbe5041c9dd0fb40N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe
  C:\Windows\{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe
    C:\Windows\{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe
      C:\Windows\{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe
        
        C:\Windows\{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe
        
        C:\Windows\{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe
        
        C:\Windows\{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe
        
        C:\Windows\{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{356CC5F9-EDB5-419d-97E0-3B129F8E071C}.exe
        
        C:\Windows\{356CC5F9-EDB5-419d-97E0-3B129F8E071C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\{3F0013FB-C9B2-4d5e-BC3C-DA688AF83181}.exe
        
        C:\Windows\{3F0013FB-C9B2-4d5e-BC3C-DA688AF83181}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{356CC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00674~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05A59~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{961EA~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE7B4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EF3A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B405C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FA869~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4B4479~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00674C7C-1C96-4427-BAFF-117A576E44B1}.exe

Filesize
91KB

MD5
b38673b8711fdba184d97c1dc5296269

SHA1
768a0ee517e8f931a87d534363597b7bd2fd9f9f

SHA256
4b5fddb440f557e58bf305abe17dd574df5f99c6f0d6385a4d873fbd905bf2ea

SHA512
997a235310f149a7118c4fc78f899ca91917819ff33045cb5e2c72b48d932a45c0e9a05dd64b89282a9d7d2ec3dd99a6a111e7d7fc850c1f3bdcc17ced1078b5

Download Submit
C:\Windows\{05A59E76-2EA1-4fe0-805E-7CCB40D30D3A}.exe

Filesize
91KB

MD5
943d17c129489c5cf53986b820f5d044

SHA1
b2c8824cff93cf818c984e325c67fbdbe5976333

SHA256
ccba2ec6e958ff17c986e9590e229f8c154a4837cb250d4fbeccb2c30f483909

SHA512
1dd4dd103661ab391a8b29556201834c17c3277f7ae720415405e0ff6ad8d7b7ab4a6fa48f1be0eee731bec6a286a6d0e0b18dbd793fb02bedfc2d2a5e10cd52

Download Submit
C:\Windows\{0EF3AC2B-5058-4373-A1A3-CF1AB1725D9D}.exe

Filesize
91KB

MD5
9a7cbe80c328f9706d7b7ad775483d28

SHA1
c8c2438331d175c5e6df3cb607d059cf52abf989

SHA256
8525dfa00ce3b6fee6369a118cd4c87e2227f8281eca1962e185f62b3a90e15a

SHA512
7d67445bde103e729cd967de7b6621eeb1716198d8e489acd6691e59a51fbcadf7d5cca284229ff8224225b99a096c315bedb2f86d77e13c0e0667b2f96acb2d

Download Submit
C:\Windows\{356CC5F9-EDB5-419d-97E0-3B129F8E071C}.exe

Filesize
91KB

MD5
7e904776b49669c167836a1729f0fc0f

SHA1
7345da4ca24d5e71f388c6649c5af71761977a2d

SHA256
d9a609e7a48f40e9166f679bfe6e1b151158b3b4592abb98da0fafa574c6feff

SHA512
3c58c28a968a8007a91e644f5580920a0a67018ad30def429669a9599241ce509b8b37ae1b546be48ea75184382ee15667ef848aef264352de6c9701d821fff5

Download Submit
C:\Windows\{3F0013FB-C9B2-4d5e-BC3C-DA688AF83181}.exe

Filesize
91KB

MD5
145cb76a299187b124723ec7d671281d

SHA1
4f183f04f0ef532b00cb99869e28e251e2cedef7

SHA256
50da28d4e37a2ba194fb0aac00ea9f26ef137eaf9f6b6802b7109bf8a35f3458

SHA512
dfcd8d95cb0fb23cff59d34b6ffbd4ea861a6e08800a9f15f1ed6e55289fdcc0ef6e62c60f75cd3843a15c4b548485ef29f140fb187a890a36b751446db246f2

Download Submit
C:\Windows\{961EAEB7-740F-4cf3-BEFF-5EDA3590FB1B}.exe

Filesize
91KB

MD5
ff5dfaaae83fea7f065fd74286f45226

SHA1
dedc2739b80fde0ce724b1cb7abf4289b01f06bd

SHA256
c7a2c917b70eb8f8ef31e46c7a0f6bb5741ac4566fc686c3aaadb5a84cd7ba89

SHA512
e268ff6eaf77bcbdb8db20a48d93d3ded0872b34a8b780ff243e2e526cac8a89d1713af92f5b302759a7dfe04a0b6ee610f71aa4c322a8c274679d09fc72aed7

Download Submit
C:\Windows\{AE7B4047-7634-4dc0-BBFC-1F981D2CA081}.exe

Filesize
91KB

MD5
d0877c5b82ce695eb23c4bf339cc6900

SHA1
0a1d4f80f2ad957e0a64ba54ad6dcd97efbdcafa

SHA256
6c0c7ac2bc406e2f3b24727662f1f97076a543a739ca5088bcd2ac277790587c

SHA512
3750e851e5e4970b8b6a59d5e3d79a214da98d4fc77014739b6092b974083f13cd89b7c16990225bed89ef0026786f998302cd996088e48a05337064305e38d8

Download Submit
C:\Windows\{B405CF16-F2E6-44dd-8A93-828A1D765826}.exe

Filesize
91KB

MD5
f61f3e1a74df6df530c233f41b26825a

SHA1
f06fb73aaa73cb8e3dcc69624fecdbbe92e9591b

SHA256
c75ba83777f03392baa0c6bd8b867df682b1db22b0f66acbea1d4bdd2bf6298d

SHA512
9217999f94e276e294ed2db074d6d9d44da89bc54e74f7b7a5881a304c2d338843e4db7ff95668ec8c2c8cd4715666d1de99f5bf2a8803b5558349e416a0ac15

Download Submit
C:\Windows\{FA869E20-FDFC-4777-8E8E-BC9575C2B53F}.exe

Filesize
91KB

MD5
79bed6b121a9662bd70f06f2ba14df3f

SHA1
cacd95024fe3f850498f8630938ef97f9175f4a7

SHA256
65dda9d1cf139428736d69acba41a5c3c5961cb58f9193ea5816b7c8c408b96a

SHA512
d8f55e2c6eda855a980c6da452ee93b49efbaa269021fb3bb72272f4ed75069124c3148a928f42827bcd6e13442146728a2b35fcb126258f06ee264b6ed66e7c

Download Submit
memory/828-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/828-56-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/828-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/888-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/888-21-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/888-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/888-24-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/1424-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1424-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1424-66-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2004-81-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2004-75-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2204-48-0x00000000004B0000-0x00000000004C1000-memory.dmp

Filesize
68KB

Download
memory/2204-47-0x00000000004B0000-0x00000000004C1000-memory.dmp

Filesize
68KB

Download
memory/2204-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2204-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2204-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-89-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/2344-91-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-85-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/2644-8-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2644-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2644-4-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2644-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2644-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2812-14-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2812-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3000-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3000-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3000-34-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads