1a9e3347bc52c529aa5d24dc71da2afacc46f8940a0ee4ee5ab0a1414c5736c0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1c183d301c33f72866ef9071d8b2340N.exe
Size

90KB
MD5

b1c183d301c33f72866ef9071d8b2340
SHA1

f6921d3e4f6a05c25ae3e30a2b91f58e2cfe423d
SHA256

1a9e3347bc52c529aa5d24dc71da2afacc46f8940a0ee4ee5ab0a1414c5736c0
SHA512

f63f6e6ca960060be7f097b0521a3245a858d6b65c0617946d85efb284a5605a3853f0418c63151609e78446b0e9a558c377bfc6c27e9acf32548b83323708e7
SSDEEP

768:Qvw9816vhKQLrot4/wQRNrfrunMxVFA3b7glw6:YEGh0otl2unMxVS3Hgl

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}	b1c183d301c33f72866ef9071d8b2340N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FE30807-7A40-471c-93BF-A7A512EA04E7}\stubpath = "C:\\Windows\\{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe"	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}\stubpath = "C:\\Windows\\{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe"	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FE30807-7A40-471c-93BF-A7A512EA04E7}	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}\stubpath = "C:\\Windows\\{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe"	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C731FD91-8729-4572-BF75-20A78F7D1CAF}	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}\stubpath = "C:\\Windows\\{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe"	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}\stubpath = "C:\\Windows\\{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe"	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}\stubpath = "C:\\Windows\\{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe"	b1c183d301c33f72866ef9071d8b2340N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C731FD91-8729-4572-BF75-20A78F7D1CAF}\stubpath = "C:\\Windows\\{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe"	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}\stubpath = "C:\\Windows\\{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe"	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77681DDC-7932-411d-98D3-1261685CDE30}	{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77681DDC-7932-411d-98D3-1261685CDE30}\stubpath = "C:\\Windows\\{77681DDC-7932-411d-98D3-1261685CDE30}.exe"	{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2840	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe
2820	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe
2608	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe
1848	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe
1676	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe
1908	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe
2232	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe
2108	{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe
596	{77681DDC-7932-411d-98D3-1261685CDE30}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe
File created	C:\Windows\{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe
File created	C:\Windows\{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe
File created	C:\Windows\{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe
File created	C:\Windows\{77681DDC-7932-411d-98D3-1261685CDE30}.exe	{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe
File created	C:\Windows\{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe	b1c183d301c33f72866ef9071d8b2340N.exe
File created	C:\Windows\{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe
File created	C:\Windows\{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe
File created	C:\Windows\{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1c183d301c33f72866ef9071d8b2340N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77681DDC-7932-411d-98D3-1261685CDE30}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	b1c183d301c33f72866ef9071d8b2340N.exe
Token: SeIncBasePriorityPrivilege	2840	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe
Token: SeIncBasePriorityPrivilege	2820	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe
Token: SeIncBasePriorityPrivilege	2608	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe
Token: SeIncBasePriorityPrivilege	1848	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe
Token: SeIncBasePriorityPrivilege	1676	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe
Token: SeIncBasePriorityPrivilege	1908	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe
Token: SeIncBasePriorityPrivilege	2232	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe
Token: SeIncBasePriorityPrivilege	2108	{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2840	2236	b1c183d301c33f72866ef9071d8b2340N.exe	30
PID 2236 wrote to memory of 2840	2236	b1c183d301c33f72866ef9071d8b2340N.exe	30
PID 2236 wrote to memory of 2840	2236	b1c183d301c33f72866ef9071d8b2340N.exe	30
PID 2236 wrote to memory of 2840	2236	b1c183d301c33f72866ef9071d8b2340N.exe	30
PID 2236 wrote to memory of 2696	2236	b1c183d301c33f72866ef9071d8b2340N.exe	31
PID 2236 wrote to memory of 2696	2236	b1c183d301c33f72866ef9071d8b2340N.exe	31
PID 2236 wrote to memory of 2696	2236	b1c183d301c33f72866ef9071d8b2340N.exe	31
PID 2236 wrote to memory of 2696	2236	b1c183d301c33f72866ef9071d8b2340N.exe	31
PID 2840 wrote to memory of 2820	2840	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe	32
PID 2840 wrote to memory of 2820	2840	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe	32
PID 2840 wrote to memory of 2820	2840	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe	32
PID 2840 wrote to memory of 2820	2840	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe	32
PID 2840 wrote to memory of 1720	2840	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe	33
PID 2840 wrote to memory of 1720	2840	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe	33
PID 2840 wrote to memory of 1720	2840	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe	33
PID 2840 wrote to memory of 1720	2840	{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe	33
PID 2820 wrote to memory of 2608	2820	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe	34
PID 2820 wrote to memory of 2608	2820	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe	34
PID 2820 wrote to memory of 2608	2820	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe	34
PID 2820 wrote to memory of 2608	2820	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe	34
PID 2820 wrote to memory of 2032	2820	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe	35
PID 2820 wrote to memory of 2032	2820	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe	35
PID 2820 wrote to memory of 2032	2820	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe	35
PID 2820 wrote to memory of 2032	2820	{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe	35
PID 2608 wrote to memory of 1848	2608	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe	36
PID 2608 wrote to memory of 1848	2608	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe	36
PID 2608 wrote to memory of 1848	2608	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe	36
PID 2608 wrote to memory of 1848	2608	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe	36
PID 2608 wrote to memory of 2268	2608	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe	37
PID 2608 wrote to memory of 2268	2608	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe	37
PID 2608 wrote to memory of 2268	2608	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe	37
PID 2608 wrote to memory of 2268	2608	{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe	37
PID 1848 wrote to memory of 1676	1848	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe	38
PID 1848 wrote to memory of 1676	1848	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe	38
PID 1848 wrote to memory of 1676	1848	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe	38
PID 1848 wrote to memory of 1676	1848	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe	38
PID 1848 wrote to memory of 2540	1848	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe	39
PID 1848 wrote to memory of 2540	1848	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe	39
PID 1848 wrote to memory of 2540	1848	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe	39
PID 1848 wrote to memory of 2540	1848	{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe	39
PID 1676 wrote to memory of 1908	1676	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe	40
PID 1676 wrote to memory of 1908	1676	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe	40
PID 1676 wrote to memory of 1908	1676	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe	40
PID 1676 wrote to memory of 1908	1676	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe	40
PID 1676 wrote to memory of 2856	1676	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe	41
PID 1676 wrote to memory of 2856	1676	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe	41
PID 1676 wrote to memory of 2856	1676	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe	41
PID 1676 wrote to memory of 2856	1676	{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe	41
PID 1908 wrote to memory of 2232	1908	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe	42
PID 1908 wrote to memory of 2232	1908	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe	42
PID 1908 wrote to memory of 2232	1908	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe	42
PID 1908 wrote to memory of 2232	1908	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe	42
PID 1908 wrote to memory of 2848	1908	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe	43
PID 1908 wrote to memory of 2848	1908	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe	43
PID 1908 wrote to memory of 2848	1908	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe	43
PID 1908 wrote to memory of 2848	1908	{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe	43
PID 2232 wrote to memory of 2108	2232	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe	44
PID 2232 wrote to memory of 2108	2232	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe	44
PID 2232 wrote to memory of 2108	2232	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe	44
PID 2232 wrote to memory of 2108	2232	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe	44
PID 2232 wrote to memory of 2400	2232	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe	45
PID 2232 wrote to memory of 2400	2232	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe	45
PID 2232 wrote to memory of 2400	2232	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe	45
PID 2232 wrote to memory of 2400	2232	{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe	45

C:\Users\Admin\AppData\Local\Temp\b1c183d301c33f72866ef9071d8b2340N.exe
"C:\Users\Admin\AppData\Local\Temp\b1c183d301c33f72866ef9071d8b2340N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe
  C:\Windows\{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe
    C:\Windows\{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe
      C:\Windows\{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe
        
        C:\Windows\{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Windows\{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe
        
        C:\Windows\{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe
        
        C:\Windows\{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe
        
        C:\Windows\{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe
        
        C:\Windows\{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\{77681DDC-7932-411d-98D3-1261685CDE30}.exe
        
        C:\Windows\{77681DDC-7932-411d-98D3-1261685CDE30}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD4E0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DFD1~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FE30~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C716E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D3A7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C731F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6BEB6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{14BDF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B1C183~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe

Filesize
90KB

MD5
be7da9ad2ca98f86e2e6f533b3981610

SHA1
c4c518357855c5e83508566626ddb3d440e667a2

SHA256
245c54a9adfaa4aa0ed8610263d3e4cb950c5b6d138395ede5883ceb4a82c52f

SHA512
b1a06c16a342e7a99133813ef478a538e5da17c45f0462a9f23ff74f1ac52fae695c33d3bf055ec3ab69517288d84311e4b4b5cf49b4b137fc0c81e716aea7cd

Download Submit
C:\Windows\{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe

Filesize
90KB

MD5
21771ba53e895f14d5365c91a204806c

SHA1
c04f4dcceb2989a1c4d509f066a8a8202033c449

SHA256
da03a5d1b63d47701965b67e21e7a5b58df90fa3d3cdbda641aa8a80a52c71b1

SHA512
ec30492b9f3d9ae92c92125a356e7a370dd5c49bbc2f2ac82c1c113d292a257562de8d5b202c412aad6785f57a008ee7d84b2908ac09dcbd0647dd67fabcb5d5

Download Submit
C:\Windows\{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe

Filesize
90KB

MD5
580db30d31dd55201147bcea067a0691

SHA1
516c673d624e5c5025af560576f7002a790a84f3

SHA256
748c414bb444cbd758fc02f1bf34a2a470107af610deb1a2f0aba25d6895ad33

SHA512
131f724248f4c2119c085cc0acb855a05615e2b3d7be35d172915d232612e20bad12eb4119ed2a23f4841338047f6035bb931280a6f29e65f5414c7dcd0dafe6

Download Submit
C:\Windows\{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe

Filesize
90KB

MD5
c1a5aa5da7e14bf03671871a82b3dabc

SHA1
18915e031a0d2d1bdd832eb236a0f403c81db537

SHA256
ffa30ab35d96e6d17d3ea17ced8c0c3fbd27701fcf9b798cec7d57b499a2755a

SHA512
8622a93cd50bd55eb16bc6a58dc64e2faab72cc868554cb9aefec7237ff2b1b4972ed81daf1f576a6c116b04e2aa5afc80aae675b2880c543328eb45430ce4ae

Download Submit
C:\Windows\{77681DDC-7932-411d-98D3-1261685CDE30}.exe

Filesize
90KB

MD5
df01dffaa4ef44077eb33695fd561776

SHA1
095cd516513f21792c09a96efa142f56839fe9ad

SHA256
79d4edc703dbfd571883b616f2b58117ecdb548cff6baa8719eb907c27123d73

SHA512
754517c5b3417bb41edf9f917f6482cdceb4a09b86ee14cfd71d61907bcf9aedb90767cd9e1d830788f544ab2e462d53d335d16490fb81b7ad481ff11cd01f9d

Download Submit
C:\Windows\{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe

Filesize
90KB

MD5
d16477f52708c385d831dbbe22cf37b6

SHA1
e6c645970133ef85d17bb8da65dc2ce67b8d99a5

SHA256
3f412bdadf9f5bb5551bbdbc080c77574834d482692dbef56bf34ff5ae1115ae

SHA512
a4684663811d98b6be42d1156a6f722ef55fd0e27ffcb6f87729b107455f251fdc0d819aa055af1aa17db3e38a612af98f71dc305b629a1f2a8f3dfef0dd3eb3

Download Submit
C:\Windows\{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe

Filesize
90KB

MD5
a74d9ce5f74d034da02fc45539981b62

SHA1
355e62bddc6d44502c4be0915942c3e48b9f3098

SHA256
7fcc2fb5e4ea138218e3ec9dd04fca8801e9116c00c1fecf88e370c4aab30eb4

SHA512
12b51fff5e2369bbf6116b4e7822016d9873c01bedc083e466915e9ff9ce606f07189f94167f42f4ba238a61e473a4fd1d49509a51c93f14ed3bbfcb9e04dcab

Download Submit
C:\Windows\{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe

Filesize
90KB

MD5
8bff0b6517d41a0b30852b4bfb3a80bb

SHA1
f82423bcfbcbc92f7114d7e13cd069c2d4df2c71

SHA256
23783d5780799e1c0575651ccdc5320f99e0f0059e3bb8ac011049f68f79730e

SHA512
7e7c166dbff05e6f92727dfedcd9ebf5a4dd534fe1d7c2b7be50e616661cc1777281f01474f4c4ad2491d657d42c96561e246e58a5cd09742e7db988f9cbb2f8

Download Submit
C:\Windows\{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe

Filesize
90KB

MD5
d9aaaf2b5fa583261afbc4cea2e56790

SHA1
d4cc6da0fc3759ee1df071db6f6dfb4788fe7579

SHA256
165acc1be4bb59d32d16a2a6d81895532779af91d88ef27d678f96d74d7d2c81

SHA512
3e7a3d55f89907eda45305e74aa612cf5e2cbf038c2a18122b754fd0c67d35a1226d26d8bc1b6c1efcba94f48006558f7865eb2e154d97c726bdd280d716a9d0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads