2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
Size

204KB
MD5

812845a38d0e46c33d6158022a93546e
SHA1

b94bd84bf01c5f2ace6f57e68e1ef4f02e122027
SHA256

2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3
SHA512

b039e4d5b6b8bd5e2dccf4ec79ec2ae5f75eb8a8e864c64705c1706f6fd47f9ee0ca4bdc370fec0527621bf1f8bb7d25df134571887abd94f22d3e7d3ae90d7a
SSDEEP

1536:1EGh0oBl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oBl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{468A1795-ACC8-4126-A06F-C076F713C67C}\stubpath = "C:\\Windows\\{468A1795-ACC8-4126-A06F-C076F713C67C}.exe"	{6CC559A8-02B3-415a-9D76-BC08B4E72879}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{350A5D8C-42B9-4340-AEB7-5413505BBC04}\stubpath = "C:\\Windows\\{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe"	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDF291FD-9E8F-432f-A715-E5561C9B780D}\stubpath = "C:\\Windows\\{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe"	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{343A1A79-8849-436f-89F6-9D3DE75FD100}	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}\stubpath = "C:\\Windows\\{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe"	{A1400617-2A40-447c-AE77-E38C699C452D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C75B414F-E5E0-44b5-9C4B-8A7A81F96BAB}\stubpath = "C:\\Windows\\{C75B414F-E5E0-44b5-9C4B-8A7A81F96BAB}.exe"	{53A7CDAC-FE36-4095-B66E-48D3EBABBECA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{350A5D8C-42B9-4340-AEB7-5413505BBC04}	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}	{A1400617-2A40-447c-AE77-E38C699C452D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CC559A8-02B3-415a-9D76-BC08B4E72879}	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{468A1795-ACC8-4126-A06F-C076F713C67C}	{6CC559A8-02B3-415a-9D76-BC08B4E72879}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C75B414F-E5E0-44b5-9C4B-8A7A81F96BAB}	{53A7CDAC-FE36-4095-B66E-48D3EBABBECA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}\stubpath = "C:\\Windows\\{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe"	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}\stubpath = "C:\\Windows\\{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe"	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{343A1A79-8849-436f-89F6-9D3DE75FD100}\stubpath = "C:\\Windows\\{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe"	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CC559A8-02B3-415a-9D76-BC08B4E72879}\stubpath = "C:\\Windows\\{6CC559A8-02B3-415a-9D76-BC08B4E72879}.exe"	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDF291FD-9E8F-432f-A715-E5561C9B780D}	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1400617-2A40-447c-AE77-E38C699C452D}	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1400617-2A40-447c-AE77-E38C699C452D}\stubpath = "C:\\Windows\\{A1400617-2A40-447c-AE77-E38C699C452D}.exe"	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53A7CDAC-FE36-4095-B66E-48D3EBABBECA}	{468A1795-ACC8-4126-A06F-C076F713C67C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53A7CDAC-FE36-4095-B66E-48D3EBABBECA}\stubpath = "C:\\Windows\\{53A7CDAC-FE36-4095-B66E-48D3EBABBECA}.exe"	{468A1795-ACC8-4126-A06F-C076F713C67C}.exe

Deletes itself 1 IoCs

pid	Process
2576	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2716	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe
2760	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe
2692	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe
1712	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe
1976	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe
2632	{A1400617-2A40-447c-AE77-E38C699C452D}.exe
1140	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe
3044	{6CC559A8-02B3-415a-9D76-BC08B4E72879}.exe
1408	{468A1795-ACC8-4126-A06F-C076F713C67C}.exe
396	{53A7CDAC-FE36-4095-B66E-48D3EBABBECA}.exe
1876	{C75B414F-E5E0-44b5-9C4B-8A7A81F96BAB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
File created	C:\Windows\{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe
File created	C:\Windows\{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe
File created	C:\Windows\{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe
File created	C:\Windows\{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe	{A1400617-2A40-447c-AE77-E38C699C452D}.exe
File created	C:\Windows\{53A7CDAC-FE36-4095-B66E-48D3EBABBECA}.exe	{468A1795-ACC8-4126-A06F-C076F713C67C}.exe
File created	C:\Windows\{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe
File created	C:\Windows\{A1400617-2A40-447c-AE77-E38C699C452D}.exe	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe
File created	C:\Windows\{6CC559A8-02B3-415a-9D76-BC08B4E72879}.exe	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe
File created	C:\Windows\{468A1795-ACC8-4126-A06F-C076F713C67C}.exe	{6CC559A8-02B3-415a-9D76-BC08B4E72879}.exe
File created	C:\Windows\{C75B414F-E5E0-44b5-9C4B-8A7A81F96BAB}.exe	{53A7CDAC-FE36-4095-B66E-48D3EBABBECA}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6CC559A8-02B3-415a-9D76-BC08B4E72879}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53A7CDAC-FE36-4095-B66E-48D3EBABBECA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C75B414F-E5E0-44b5-9C4B-8A7A81F96BAB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{468A1795-ACC8-4126-A06F-C076F713C67C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A1400617-2A40-447c-AE77-E38C699C452D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2700	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
Token: SeIncBasePriorityPrivilege	2716	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe
Token: SeIncBasePriorityPrivilege	2760	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe
Token: SeIncBasePriorityPrivilege	2692	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe
Token: SeIncBasePriorityPrivilege	1712	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe
Token: SeIncBasePriorityPrivilege	1976	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe
Token: SeIncBasePriorityPrivilege	2632	{A1400617-2A40-447c-AE77-E38C699C452D}.exe
Token: SeIncBasePriorityPrivilege	1140	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe
Token: SeIncBasePriorityPrivilege	3044	{6CC559A8-02B3-415a-9D76-BC08B4E72879}.exe
Token: SeIncBasePriorityPrivilege	1408	{468A1795-ACC8-4126-A06F-C076F713C67C}.exe
Token: SeIncBasePriorityPrivilege	396	{53A7CDAC-FE36-4095-B66E-48D3EBABBECA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2716	2700	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	31
PID 2700 wrote to memory of 2716	2700	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	31
PID 2700 wrote to memory of 2716	2700	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	31
PID 2700 wrote to memory of 2716	2700	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	31
PID 2700 wrote to memory of 2576	2700	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	32
PID 2700 wrote to memory of 2576	2700	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	32
PID 2700 wrote to memory of 2576	2700	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	32
PID 2700 wrote to memory of 2576	2700	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	32
PID 2716 wrote to memory of 2760	2716	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe	33
PID 2716 wrote to memory of 2760	2716	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe	33
PID 2716 wrote to memory of 2760	2716	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe	33
PID 2716 wrote to memory of 2760	2716	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe	33
PID 2716 wrote to memory of 2684	2716	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe	34
PID 2716 wrote to memory of 2684	2716	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe	34
PID 2716 wrote to memory of 2684	2716	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe	34
PID 2716 wrote to memory of 2684	2716	{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe	34
PID 2760 wrote to memory of 2692	2760	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe	35
PID 2760 wrote to memory of 2692	2760	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe	35
PID 2760 wrote to memory of 2692	2760	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe	35
PID 2760 wrote to memory of 2692	2760	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe	35
PID 2760 wrote to memory of 2620	2760	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe	36
PID 2760 wrote to memory of 2620	2760	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe	36
PID 2760 wrote to memory of 2620	2760	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe	36
PID 2760 wrote to memory of 2620	2760	{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe	36
PID 2692 wrote to memory of 1712	2692	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe	37
PID 2692 wrote to memory of 1712	2692	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe	37
PID 2692 wrote to memory of 1712	2692	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe	37
PID 2692 wrote to memory of 1712	2692	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe	37
PID 2692 wrote to memory of 2100	2692	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe	38
PID 2692 wrote to memory of 2100	2692	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe	38
PID 2692 wrote to memory of 2100	2692	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe	38
PID 2692 wrote to memory of 2100	2692	{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe	38
PID 1712 wrote to memory of 1976	1712	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe	39
PID 1712 wrote to memory of 1976	1712	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe	39
PID 1712 wrote to memory of 1976	1712	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe	39
PID 1712 wrote to memory of 1976	1712	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe	39
PID 1712 wrote to memory of 1048	1712	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe	40
PID 1712 wrote to memory of 1048	1712	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe	40
PID 1712 wrote to memory of 1048	1712	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe	40
PID 1712 wrote to memory of 1048	1712	{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe	40
PID 1976 wrote to memory of 2632	1976	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe	41
PID 1976 wrote to memory of 2632	1976	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe	41
PID 1976 wrote to memory of 2632	1976	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe	41
PID 1976 wrote to memory of 2632	1976	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe	41
PID 1976 wrote to memory of 2952	1976	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe	42
PID 1976 wrote to memory of 2952	1976	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe	42
PID 1976 wrote to memory of 2952	1976	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe	42
PID 1976 wrote to memory of 2952	1976	{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe	42
PID 2632 wrote to memory of 1140	2632	{A1400617-2A40-447c-AE77-E38C699C452D}.exe	44
PID 2632 wrote to memory of 1140	2632	{A1400617-2A40-447c-AE77-E38C699C452D}.exe	44
PID 2632 wrote to memory of 1140	2632	{A1400617-2A40-447c-AE77-E38C699C452D}.exe	44
PID 2632 wrote to memory of 1140	2632	{A1400617-2A40-447c-AE77-E38C699C452D}.exe	44
PID 2632 wrote to memory of 332	2632	{A1400617-2A40-447c-AE77-E38C699C452D}.exe	45
PID 2632 wrote to memory of 332	2632	{A1400617-2A40-447c-AE77-E38C699C452D}.exe	45
PID 2632 wrote to memory of 332	2632	{A1400617-2A40-447c-AE77-E38C699C452D}.exe	45
PID 2632 wrote to memory of 332	2632	{A1400617-2A40-447c-AE77-E38C699C452D}.exe	45
PID 1140 wrote to memory of 3044	1140	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe	46
PID 1140 wrote to memory of 3044	1140	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe	46
PID 1140 wrote to memory of 3044	1140	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe	46
PID 1140 wrote to memory of 3044	1140	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe	46
PID 1140 wrote to memory of 3052	1140	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe	47
PID 1140 wrote to memory of 3052	1140	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe	47
PID 1140 wrote to memory of 3052	1140	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe	47
PID 1140 wrote to memory of 3052	1140	{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe	47

C:\Users\Admin\AppData\Local\Temp\2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
"C:\Users\Admin\AppData\Local\Temp\2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe
  C:\Windows\{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe
    C:\Windows\{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe
      C:\Windows\{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe
        
        C:\Windows\{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe
        
        C:\Windows\{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{A1400617-2A40-447c-AE77-E38C699C452D}.exe
        
        C:\Windows\{A1400617-2A40-447c-AE77-E38C699C452D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe
        
        C:\Windows\{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{6CC559A8-02B3-415a-9D76-BC08B4E72879}.exe
        
        C:\Windows\{6CC559A8-02B3-415a-9D76-BC08B4E72879}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\{468A1795-ACC8-4126-A06F-C076F713C67C}.exe
        
        C:\Windows\{468A1795-ACC8-4126-A06F-C076F713C67C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Windows\{53A7CDAC-FE36-4095-B66E-48D3EBABBECA}.exe
        
        C:\Windows\{53A7CDAC-FE36-4095-B66E-48D3EBABBECA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\{C75B414F-E5E0-44b5-9C4B-8A7A81F96BAB}.exe
        
        C:\Windows\{C75B414F-E5E0-44b5-9C4B-8A7A81F96BAB}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53A7C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{468A1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CC55~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8A5B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1400~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{343A1~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDF29~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{350A5~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3BCEA~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F7F16~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2AEA86~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{343A1A79-8849-436f-89F6-9D3DE75FD100}.exe

Filesize
204KB

MD5
b1462f7a7ec452679014572305a320d8

SHA1
67c9da08ed8798e62854552d4e801e88fbeb5d19

SHA256
dd08e8fc48845886700b6c9b14db5019b5bf3c68f9aaee017ee0b62af85d0e96

SHA512
19e3cdca01439649c6c7f89e2ee8b33da1a0b0c8927d91114e1cbffc55f1b1c902c0d4d46111a47e1eff25cb2b783c372247df7c49c79d2a84a54f4ef2c3ea99

Download Submit
C:\Windows\{350A5D8C-42B9-4340-AEB7-5413505BBC04}.exe

Filesize
204KB

MD5
f64501274dd32970f3a4c7f450450b7c

SHA1
619f392487635e59a870a6164a2ea456f8cb3262

SHA256
025af8e5916e5d00453a4f225a169d2679029efd0c98dc480d537e86150df36b

SHA512
9c6e36fee6a3786ef30e30971ec0681acca08f358c3089acb6d7cd945dc3ca1776cff98d52c13ae33352246989c9684f408b4234dff186a6ef380a62dd06c6ea

Download Submit
C:\Windows\{3BCEA048-B3BC-4ea2-80A4-EFAA8395F148}.exe

Filesize
204KB

MD5
c767fc1bb77ae07ce213b22e1443e1b3

SHA1
7d26d0e3c919065bc55b5d07a8c27b122ef541b9

SHA256
1e88f054d952a2e000811dea8d52f5f78ba67de51c27ad4008cb471209a8cdb2

SHA512
afaed82e273a0ee7e67985bfa4857748a2fbca3b07868e4be7559246c08ab2347742787f80abcc67ef1a1ca4b85ed28c5c80b6f90f0c4a86625007f477fd6e3b

Download Submit
C:\Windows\{468A1795-ACC8-4126-A06F-C076F713C67C}.exe

Filesize
204KB

MD5
160ba3edccb9f22e4b1b3eee0932d247

SHA1
41db4de5d1ee861b4a3db79f023000098ef41c07

SHA256
4b133719e7b12e23394765621b172d2f80f6e2b87bc8c6ae32cc92f45cc2b8ae

SHA512
ee6f6281c2f9a8609ca56200b2703349bf28612c21a9586143c7912c014e71c7212a1ccdc1a427f1eb7ce0e617a7119b403597c5f056464970353a7a7f891af4

Download Submit
C:\Windows\{53A7CDAC-FE36-4095-B66E-48D3EBABBECA}.exe

Filesize
204KB

MD5
e4ccd046818366c056d53ad13b41237b

SHA1
597f42f613a292ca1db66d9c972a35b5737fd6fe

SHA256
3b4588f7bddb8e65b4de7c3dcbe71658e3b7bd8d62da6a85d7378324697cffec

SHA512
b779b241dad61e8f5dced37fa071659e47294a035abc2f072c63e620af0f36453745b97e4b4e7759fb9885e36d0a1d07be109a5bcf093fb3357bbfc86df790e9

Download Submit
C:\Windows\{6CC559A8-02B3-415a-9D76-BC08B4E72879}.exe

Filesize
204KB

MD5
09616d1f80dd6cbebf2b41124a07ff40

SHA1
89a57dbe6812e3326d01da041aac696f25f409bc

SHA256
07b3849e158ea07d4b61d4ac791022907a9cdb3647a18f30f02dede014394cf6

SHA512
b58300de153a9433067ade185351c6e46883aad2125ade67a08097e4427221b38e779eb76009a9b143c3503da4f00817a60513880a3be355c240f783b7f15023

Download Submit
C:\Windows\{A1400617-2A40-447c-AE77-E38C699C452D}.exe

Filesize
204KB

MD5
3e06540eef052017cbc8af078a2833c3

SHA1
56d7751faa303a7a1639c30ef2e77c8b8ee03551

SHA256
d22a4edadfbe76e6f33a7f2b54fe4f666a30d0723d9ad2393c3d03b9b3016077

SHA512
af1f1470f84a1f1b40874f9fe23e58151afefa4423dc14e07eff5660ea6da691b50adf80dce9e7083ff12461db1f24b26b39d6d9ea202c24d978bf4d02855d54

Download Submit
C:\Windows\{C75B414F-E5E0-44b5-9C4B-8A7A81F96BAB}.exe

Filesize
204KB

MD5
7863e356f84121b9a36d901ceffd881f

SHA1
0d2e119e94e6785fbe1e0038e929f797d3c74e24

SHA256
9388bd9584c5f3851b6e2526d84f12445b97e49018085710e5e0c88145156a37

SHA512
6e0be52faee05a5e120785824d828131c21bb0423e241dbb0958111e9945cc1c56d7bb6334e12d675443e272f8f97a9c30dc128614d09469676036d7a562f420

Download Submit
C:\Windows\{D8A5B69A-F576-44db-BE7B-EF6A18570F7B}.exe

Filesize
204KB

MD5
35ba3b7a069a9a5b793463c371c4a162

SHA1
371bc5f31394f62bd9e9b6063f2310cd2c4adfb1

SHA256
dc3f4fb1aca57f8cd1136b766e339bff26363717896c60efce3c9333eb072520

SHA512
14879dd2f955aff0e2a9d444d4384c7bdbf0bd236b8748e56f3cd11ca347fb5e446dc0dbc3c7244543450d6c11f5b0799b7a0118a02c92471431ed271de76b57

Download Submit
C:\Windows\{F7F163D9-7150-446e-B3D4-EAEFF8472C1F}.exe

Filesize
204KB

MD5
01416e1702fa5c43a9eb3744b04a89aa

SHA1
60bd51fbb71c2c0f689ef4e96fb01af97540a237

SHA256
166a2783db2fe48484fa2550302116e4e4bdd6b5e50495a1d402775e22f3a6e2

SHA512
3756d01fd0034ff496176772a3f333aefefbb52ccd134ea9652f8c79c5a1b73b1599c0f67644390e5964a124cbc6562befdcc6b4389f67c47002e847f4f2553e

Download Submit
C:\Windows\{FDF291FD-9E8F-432f-A715-E5561C9B780D}.exe

Filesize
204KB

MD5
9ec35a2a1c4056a7cd138bfb8f3f50da

SHA1
0c57afa6559750143db7e7c4c54832df8ec17d67

SHA256
510cb1c56559c63e31f6efd285a2501d374e6e5cef5562d4061f517ec2794e7f

SHA512
49c35da2106d0e9d1b0653a19c7a16772b35af02102be11e3500991da512a4746816c62b1351c50cc1b1bfb8dfb12f037f58db027b071dc8f257bb2f2020a11f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads