654289647bb122e15c3a8ed16274169109be4077d9b630662ad998203280051a

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 14:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b44797f9ba623cccbe5041c9dd0fb40N.exe
Size

91KB
MD5

4b44797f9ba623cccbe5041c9dd0fb40
SHA1

5e1a8d221a6c69e2a6491739332f8808acd28a38
SHA256

654289647bb122e15c3a8ed16274169109be4077d9b630662ad998203280051a
SHA512

39fc02e4ec7669cfd2a2fa9237e18a85036b94fd2f7051f196c9330dda2f40bb353d90bc53046467784b99b39055efd9ece274b926c1053c4b2fe8adb68c9619
SSDEEP

768:5vw9816uhKiroK4/wQNNrfrunMxVFA3b7t:lEGkmoKlCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77D4BDEC-02DF-41e8-BA65-CC2984637689}	4b44797f9ba623cccbe5041c9dd0fb40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F04F89D1-4443-4bf9-AD48-A49870216852}\stubpath = "C:\\Windows\\{F04F89D1-4443-4bf9-AD48-A49870216852}.exe"	{9EF381F7-3617-4266-AE96-0994865E11AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{318FC896-3FAC-425d-AF28-475380F6923F}	{42E4ADD4-8009-476d-9423-96A94812E862}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7C6F83C-0B8B-452f-996B-F030A7791048}\stubpath = "C:\\Windows\\{A7C6F83C-0B8B-452f-996B-F030A7791048}.exe"	{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67277E68-86CF-4cee-80D4-0BF95AFC58A2}	{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EF381F7-3617-4266-AE96-0994865E11AD}	{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F04F89D1-4443-4bf9-AD48-A49870216852}	{9EF381F7-3617-4266-AE96-0994865E11AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42E4ADD4-8009-476d-9423-96A94812E862}	{F04F89D1-4443-4bf9-AD48-A49870216852}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42E4ADD4-8009-476d-9423-96A94812E862}\stubpath = "C:\\Windows\\{42E4ADD4-8009-476d-9423-96A94812E862}.exe"	{F04F89D1-4443-4bf9-AD48-A49870216852}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}\stubpath = "C:\\Windows\\{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe"	{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67277E68-86CF-4cee-80D4-0BF95AFC58A2}\stubpath = "C:\\Windows\\{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe"	{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EF381F7-3617-4266-AE96-0994865E11AD}\stubpath = "C:\\Windows\\{9EF381F7-3617-4266-AE96-0994865E11AD}.exe"	{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77D4BDEC-02DF-41e8-BA65-CC2984637689}\stubpath = "C:\\Windows\\{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe"	4b44797f9ba623cccbe5041c9dd0fb40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}	{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{318FC896-3FAC-425d-AF28-475380F6923F}\stubpath = "C:\\Windows\\{318FC896-3FAC-425d-AF28-475380F6923F}.exe"	{42E4ADD4-8009-476d-9423-96A94812E862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}	{318FC896-3FAC-425d-AF28-475380F6923F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}\stubpath = "C:\\Windows\\{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe"	{318FC896-3FAC-425d-AF28-475380F6923F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7C6F83C-0B8B-452f-996B-F030A7791048}	{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe

Executes dropped EXE 9 IoCs

pid	Process
2392	{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe
5104	{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe
3232	{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe
1660	{9EF381F7-3617-4266-AE96-0994865E11AD}.exe
2296	{F04F89D1-4443-4bf9-AD48-A49870216852}.exe
1656	{42E4ADD4-8009-476d-9423-96A94812E862}.exe
116	{318FC896-3FAC-425d-AF28-475380F6923F}.exe
404	{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe
3628	{A7C6F83C-0B8B-452f-996B-F030A7791048}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe	4b44797f9ba623cccbe5041c9dd0fb40N.exe
File created	C:\Windows\{F04F89D1-4443-4bf9-AD48-A49870216852}.exe	{9EF381F7-3617-4266-AE96-0994865E11AD}.exe
File created	C:\Windows\{42E4ADD4-8009-476d-9423-96A94812E862}.exe	{F04F89D1-4443-4bf9-AD48-A49870216852}.exe
File created	C:\Windows\{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe	{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe
File created	C:\Windows\{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe	{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe
File created	C:\Windows\{9EF381F7-3617-4266-AE96-0994865E11AD}.exe	{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe
File created	C:\Windows\{318FC896-3FAC-425d-AF28-475380F6923F}.exe	{42E4ADD4-8009-476d-9423-96A94812E862}.exe
File created	C:\Windows\{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe	{318FC896-3FAC-425d-AF28-475380F6923F}.exe
File created	C:\Windows\{A7C6F83C-0B8B-452f-996B-F030A7791048}.exe	{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7C6F83C-0B8B-452f-996B-F030A7791048}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F04F89D1-4443-4bf9-AD48-A49870216852}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b44797f9ba623cccbe5041c9dd0fb40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9EF381F7-3617-4266-AE96-0994865E11AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{42E4ADD4-8009-476d-9423-96A94812E862}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{318FC896-3FAC-425d-AF28-475380F6923F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4860	4b44797f9ba623cccbe5041c9dd0fb40N.exe
Token: SeIncBasePriorityPrivilege	2392	{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe
Token: SeIncBasePriorityPrivilege	5104	{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe
Token: SeIncBasePriorityPrivilege	3232	{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe
Token: SeIncBasePriorityPrivilege	1660	{9EF381F7-3617-4266-AE96-0994865E11AD}.exe
Token: SeIncBasePriorityPrivilege	2296	{F04F89D1-4443-4bf9-AD48-A49870216852}.exe
Token: SeIncBasePriorityPrivilege	1656	{42E4ADD4-8009-476d-9423-96A94812E862}.exe
Token: SeIncBasePriorityPrivilege	116	{318FC896-3FAC-425d-AF28-475380F6923F}.exe
Token: SeIncBasePriorityPrivilege	404	{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 2392	4860	4b44797f9ba623cccbe5041c9dd0fb40N.exe	93
PID 4860 wrote to memory of 2392	4860	4b44797f9ba623cccbe5041c9dd0fb40N.exe	93
PID 4860 wrote to memory of 2392	4860	4b44797f9ba623cccbe5041c9dd0fb40N.exe	93
PID 4860 wrote to memory of 3260	4860	4b44797f9ba623cccbe5041c9dd0fb40N.exe	94
PID 4860 wrote to memory of 3260	4860	4b44797f9ba623cccbe5041c9dd0fb40N.exe	94
PID 4860 wrote to memory of 3260	4860	4b44797f9ba623cccbe5041c9dd0fb40N.exe	94
PID 2392 wrote to memory of 5104	2392	{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe	95
PID 2392 wrote to memory of 5104	2392	{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe	95
PID 2392 wrote to memory of 5104	2392	{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe	95
PID 2392 wrote to memory of 1380	2392	{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe	96
PID 2392 wrote to memory of 1380	2392	{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe	96
PID 2392 wrote to memory of 1380	2392	{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe	96
PID 5104 wrote to memory of 3232	5104	{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe	99
PID 5104 wrote to memory of 3232	5104	{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe	99
PID 5104 wrote to memory of 3232	5104	{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe	99
PID 5104 wrote to memory of 824	5104	{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe	100
PID 5104 wrote to memory of 824	5104	{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe	100
PID 5104 wrote to memory of 824	5104	{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe	100
PID 3232 wrote to memory of 1660	3232	{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe	101
PID 3232 wrote to memory of 1660	3232	{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe	101
PID 3232 wrote to memory of 1660	3232	{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe	101
PID 3232 wrote to memory of 3116	3232	{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe	102
PID 3232 wrote to memory of 3116	3232	{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe	102
PID 3232 wrote to memory of 3116	3232	{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe	102
PID 1660 wrote to memory of 2296	1660	{9EF381F7-3617-4266-AE96-0994865E11AD}.exe	103
PID 1660 wrote to memory of 2296	1660	{9EF381F7-3617-4266-AE96-0994865E11AD}.exe	103
PID 1660 wrote to memory of 2296	1660	{9EF381F7-3617-4266-AE96-0994865E11AD}.exe	103
PID 1660 wrote to memory of 4496	1660	{9EF381F7-3617-4266-AE96-0994865E11AD}.exe	104
PID 1660 wrote to memory of 4496	1660	{9EF381F7-3617-4266-AE96-0994865E11AD}.exe	104
PID 1660 wrote to memory of 4496	1660	{9EF381F7-3617-4266-AE96-0994865E11AD}.exe	104
PID 2296 wrote to memory of 1656	2296	{F04F89D1-4443-4bf9-AD48-A49870216852}.exe	105
PID 2296 wrote to memory of 1656	2296	{F04F89D1-4443-4bf9-AD48-A49870216852}.exe	105
PID 2296 wrote to memory of 1656	2296	{F04F89D1-4443-4bf9-AD48-A49870216852}.exe	105
PID 2296 wrote to memory of 2148	2296	{F04F89D1-4443-4bf9-AD48-A49870216852}.exe	106
PID 2296 wrote to memory of 2148	2296	{F04F89D1-4443-4bf9-AD48-A49870216852}.exe	106
PID 2296 wrote to memory of 2148	2296	{F04F89D1-4443-4bf9-AD48-A49870216852}.exe	106
PID 1656 wrote to memory of 116	1656	{42E4ADD4-8009-476d-9423-96A94812E862}.exe	107
PID 1656 wrote to memory of 116	1656	{42E4ADD4-8009-476d-9423-96A94812E862}.exe	107
PID 1656 wrote to memory of 116	1656	{42E4ADD4-8009-476d-9423-96A94812E862}.exe	107
PID 1656 wrote to memory of 3568	1656	{42E4ADD4-8009-476d-9423-96A94812E862}.exe	108
PID 1656 wrote to memory of 3568	1656	{42E4ADD4-8009-476d-9423-96A94812E862}.exe	108
PID 1656 wrote to memory of 3568	1656	{42E4ADD4-8009-476d-9423-96A94812E862}.exe	108
PID 116 wrote to memory of 404	116	{318FC896-3FAC-425d-AF28-475380F6923F}.exe	109
PID 116 wrote to memory of 404	116	{318FC896-3FAC-425d-AF28-475380F6923F}.exe	109
PID 116 wrote to memory of 404	116	{318FC896-3FAC-425d-AF28-475380F6923F}.exe	109
PID 116 wrote to memory of 1916	116	{318FC896-3FAC-425d-AF28-475380F6923F}.exe	110
PID 116 wrote to memory of 1916	116	{318FC896-3FAC-425d-AF28-475380F6923F}.exe	110
PID 116 wrote to memory of 1916	116	{318FC896-3FAC-425d-AF28-475380F6923F}.exe	110
PID 404 wrote to memory of 3628	404	{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe	111
PID 404 wrote to memory of 3628	404	{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe	111
PID 404 wrote to memory of 3628	404	{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe	111
PID 404 wrote to memory of 4804	404	{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe	112
PID 404 wrote to memory of 4804	404	{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe	112
PID 404 wrote to memory of 4804	404	{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe	112

C:\Users\Admin\AppData\Local\Temp\4b44797f9ba623cccbe5041c9dd0fb40N.exe
"C:\Users\Admin\AppData\Local\Temp\4b44797f9ba623cccbe5041c9dd0fb40N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe
  C:\Windows\{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe
    C:\Windows\{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe
      C:\Windows\{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3232
    - - C:\Windows\{9EF381F7-3617-4266-AE96-0994865E11AD}.exe
        
        C:\Windows\{9EF381F7-3617-4266-AE96-0994865E11AD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\{F04F89D1-4443-4bf9-AD48-A49870216852}.exe
        
        C:\Windows\{F04F89D1-4443-4bf9-AD48-A49870216852}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{42E4ADD4-8009-476d-9423-96A94812E862}.exe
        
        C:\Windows\{42E4ADD4-8009-476d-9423-96A94812E862}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\{318FC896-3FAC-425d-AF28-475380F6923F}.exe
        
        C:\Windows\{318FC896-3FAC-425d-AF28-475380F6923F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe
        
        C:\Windows\{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\{A7C6F83C-0B8B-452f-996B-F030A7791048}.exe
        
        C:\Windows\{A7C6F83C-0B8B-452f-996B-F030A7791048}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0D43~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{318FC~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42E4A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F04F8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EF38~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67277~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CB5A3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{77D4B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4B4479~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3260

Network

DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

1.208.79.178.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.208.79.178.in-addr.arpa

IN PTR

Response

1.208.79.178.in-addr.arpa

IN PTR

https-178-79-208-1amsllnwnet
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

1.208.79.178.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

1.208.79.178.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{318FC896-3FAC-425d-AF28-475380F6923F}.exe

Filesize
91KB

MD5
ae09b1cdaab0f8ec3c8383d8e3fc7d99

SHA1
f8628598f14afbdfc7cbd07957fc1dea99f4801e

SHA256
ddfe7cad36d55e68889ceae5e5164b98ecb2e57be8f2af520af39a5e6c066610

SHA512
e635cff966d2272cf7666c3adb174117cbb45aafa7e1d0c167f63298baf8c0b894a0d19c81217244de12df6864b040e7124657cc1d2f9caebe6984dfbebc6da9

Download Submit
C:\Windows\{42E4ADD4-8009-476d-9423-96A94812E862}.exe

Filesize
91KB

MD5
ddfc3122ab6e819cd975979bad790fc6

SHA1
a941c51a42304abf897416f8a560c111b7aca973

SHA256
052d258064f9589536273aad4e4b70414b8964ad5126addf16fa1dcd37c567fa

SHA512
255a8e73cd9fe99b9772d1d1743ce0f3687b129f0ce3cb9e6b137620a90aad2ad0d71389583fc8cbcd36f20b67ba690e57fc189cc51844935030e583752eb8bd

Download Submit
C:\Windows\{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe

Filesize
91KB

MD5
8358561445453a765ef0546aa1ec38d6

SHA1
3ac58dfcf9194cbfbd39b1236590271ab55d19e7

SHA256
f2e71807a864a28830e97fff7af6ca93d5dd2ecb4ff7f2a1a9dd4b5fc1036ed4

SHA512
476c15e5407076e478e5915cb85dc2adb6389d60352132a233cf7a5f104b6927d626d17329d0754aec49025d67629e5b7e118f333be0698b8d53c1511eca040b

Download Submit
C:\Windows\{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe

Filesize
91KB

MD5
c7ae8043db74ed9ea5c1003e58c9e819

SHA1
43013c0cabd6881b06a98f120189181acf559a3c

SHA256
0e4bf1fef9dbb2590e5d569219dfcee9eb540f88b49736649c7edd70c47db943

SHA512
4035a1f364c1af4b83ddf3215e640678e43023dd8a3bdf02edca327dd5c43728451f70badb18c975b53e3c49e3e95ec980931d331da9b98c8a742c372e7a8086

Download Submit
C:\Windows\{9EF381F7-3617-4266-AE96-0994865E11AD}.exe

Filesize
91KB

MD5
2ecc0c80c2f7a60ae94b883af201fbe3

SHA1
60825662b4fc0c8dfdad423de30364102cd7811c

SHA256
6749b933b4bfc99290bc6aac5cb5d4b51a86cc983b3fd28cb6cca857aa4c894f

SHA512
6ba4fb47f5ee24d2a1c2df27e49b2e5c56eba8b3af31145a73995ffea87bedd796b35ba2b6d1a990ec76d73b5223fb177da1669b86629aeeda5a4ff22ac6ecc3

Download Submit
C:\Windows\{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe

Filesize
91KB

MD5
cc694ba8690d96b6f47889e5903e0c72

SHA1
34b8d5edabce0a616718d41a98403c790ccbf4a6

SHA256
f98f916abb477a1b5ea13f05b09f622daf12649cc4abe71c11abaf19f5b06759

SHA512
909adf084ca798dc1242e015b6270a26bdb317bffd14b28475263cdc94afa35c14d5603d8a7a959c1d829a8dd3fe0a6608d3fa19f09aa5ec67b2ce81067a812d

Download Submit
C:\Windows\{A7C6F83C-0B8B-452f-996B-F030A7791048}.exe

Filesize
91KB

MD5
9a3c666571b8c26a2555bcb66abfbb49

SHA1
7cbdf5c918f592a4adcd43b601df09de41148e5c

SHA256
ea8db02e3fdc25200d9073ccfbdf4c9da5d24c94d5eddd8a3f47390f7f22e9bc

SHA512
8db595a573ad04310919f9f52b28bd3b8cf07656831674d5d464b8ed26b28607f45ab2c03c6c352cf1a6d7d1f4098673de173190ab973b71a875d8706e26b4c2

Download Submit
C:\Windows\{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe

Filesize
91KB

MD5
22aa0375739bade31b3b23a55a4c8647

SHA1
d4aefbda302950c1110c77159d1def88967aec30

SHA256
17a375eb3717a6324f395c66d19cef479628b551c3dbab76ea70617bc09b5f87

SHA512
07c90e3f3087832d731890a83b0ecac5beae5d67b54cb8c84df1914bc637338883b5d5dde47ca7c14a53f6d1d31a61fa2250cb5a2e9f274fa424a5abf44157cf

Download Submit
C:\Windows\{F04F89D1-4443-4bf9-AD48-A49870216852}.exe

Filesize
91KB

MD5
09428f675d0a79d53b9083d62230d0e7

SHA1
b4f158562036008eee0abf84f4faab9cf78528de

SHA256
aa044dcba5a49bae4e84cf7ec00f232ef5fa11f632f026cfc7450b7dfaab92b2

SHA512
b06e1aba742fe5276bbfa9005bc887ae9b864d09a16b14c7374e384ae44a5c23049335db7d90d34ba306c1e4920c3edbac41a8e7c9c82b61745e45e9d516ac23

Download Submit
memory/116-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/116-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/404-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/404-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1656-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1660-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1660-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2296-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2296-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2392-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2392-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3232-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3628-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4860-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4860-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4860-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5104-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5104-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5104-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.