9bbdcc5dfff54cc949898a323d6aba2e0b3187ccd4bcd50ea88d4feeaaf4812e

Analysis

max time kernel
118s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ad7c478eb2c72d59d73992bb1a18400N.exe
Size

408KB
MD5

8ad7c478eb2c72d59d73992bb1a18400
SHA1

7968d58c2d2b0824c40680299f0b4b908afb5901
SHA256

9bbdcc5dfff54cc949898a323d6aba2e0b3187ccd4bcd50ea88d4feeaaf4812e
SHA512

f5ec091ccec9230da8098be5b8ee3d559055344b58e6dbcc3652650e2d6c9fe849e9714b01278674f17a5a20078181711f209fff28fec014a7c8ad4caef784ad
SSDEEP

3072:CEGh0o/l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG5ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BADEF5-E45D-4251-888A-D9991F642ABD}\stubpath = "C:\\Windows\\{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe"	{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5725A6F-146C-4546-9CE9-EF8B61D01129}	{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F823246-5282-408c-8791-22307867B233}\stubpath = "C:\\Windows\\{8F823246-5282-408c-8791-22307867B233}.exe"	{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF4864B3-04F9-492a-9D2C-829C2BF76974}\stubpath = "C:\\Windows\\{AF4864B3-04F9-492a-9D2C-829C2BF76974}.exe"	{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79EAEBB8-938C-47ac-AB5B-481F950A50A9}\stubpath = "C:\\Windows\\{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe"	{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F823246-5282-408c-8791-22307867B233}	{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE501C74-1A61-427d-9710-AB7CB22F7AD0}\stubpath = "C:\\Windows\\{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe"	8ad7c478eb2c72d59d73992bb1a18400N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20669C2D-D506-4adc-8B49-7C1CAF795B9B}	{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20669C2D-D506-4adc-8B49-7C1CAF795B9B}\stubpath = "C:\\Windows\\{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe"	{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D016C39-1A35-4c74-9DFF-9938D4D940A5}	{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D016C39-1A35-4c74-9DFF-9938D4D940A5}\stubpath = "C:\\Windows\\{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe"	{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79EAEBB8-938C-47ac-AB5B-481F950A50A9}	{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29265FE7-E042-4ca9-94E3-815E2C1343A8}	{8F823246-5282-408c-8791-22307867B233}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF4864B3-04F9-492a-9D2C-829C2BF76974}	{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE501C74-1A61-427d-9710-AB7CB22F7AD0}	8ad7c478eb2c72d59d73992bb1a18400N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BADEF5-E45D-4251-888A-D9991F642ABD}	{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5725A6F-146C-4546-9CE9-EF8B61D01129}\stubpath = "C:\\Windows\\{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe"	{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29265FE7-E042-4ca9-94E3-815E2C1343A8}\stubpath = "C:\\Windows\\{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe"	{8F823246-5282-408c-8791-22307867B233}.exe

Executes dropped EXE 9 IoCs

pid	Process
4564	{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe
3804	{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe
3628	{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe
5116	{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe
896	{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe
4316	{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe
3584	{8F823246-5282-408c-8791-22307867B233}.exe
788	{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe
828	{AF4864B3-04F9-492a-9D2C-829C2BF76974}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe	8ad7c478eb2c72d59d73992bb1a18400N.exe
File created	C:\Windows\{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe	{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe
File created	C:\Windows\{AF4864B3-04F9-492a-9D2C-829C2BF76974}.exe	{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe
File created	C:\Windows\{8F823246-5282-408c-8791-22307867B233}.exe	{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe
File created	C:\Windows\{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe	{8F823246-5282-408c-8791-22307867B233}.exe
File created	C:\Windows\{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe	{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe
File created	C:\Windows\{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe	{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe
File created	C:\Windows\{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe	{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe
File created	C:\Windows\{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe	{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AF4864B3-04F9-492a-9D2C-829C2BF76974}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ad7c478eb2c72d59d73992bb1a18400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F823246-5282-408c-8791-22307867B233}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3404	8ad7c478eb2c72d59d73992bb1a18400N.exe
Token: SeIncBasePriorityPrivilege	4564	{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe
Token: SeIncBasePriorityPrivilege	3804	{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe
Token: SeIncBasePriorityPrivilege	3628	{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe
Token: SeIncBasePriorityPrivilege	5116	{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe
Token: SeIncBasePriorityPrivilege	896	{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe
Token: SeIncBasePriorityPrivilege	4316	{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe
Token: SeIncBasePriorityPrivilege	3584	{8F823246-5282-408c-8791-22307867B233}.exe
Token: SeIncBasePriorityPrivilege	788	{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4564	3404	8ad7c478eb2c72d59d73992bb1a18400N.exe	94
PID 3404 wrote to memory of 4564	3404	8ad7c478eb2c72d59d73992bb1a18400N.exe	94
PID 3404 wrote to memory of 4564	3404	8ad7c478eb2c72d59d73992bb1a18400N.exe	94
PID 3404 wrote to memory of 4984	3404	8ad7c478eb2c72d59d73992bb1a18400N.exe	95
PID 3404 wrote to memory of 4984	3404	8ad7c478eb2c72d59d73992bb1a18400N.exe	95
PID 3404 wrote to memory of 4984	3404	8ad7c478eb2c72d59d73992bb1a18400N.exe	95
PID 4564 wrote to memory of 3804	4564	{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe	96
PID 4564 wrote to memory of 3804	4564	{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe	96
PID 4564 wrote to memory of 3804	4564	{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe	96
PID 4564 wrote to memory of 3540	4564	{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe	97
PID 4564 wrote to memory of 3540	4564	{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe	97
PID 4564 wrote to memory of 3540	4564	{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe	97
PID 3804 wrote to memory of 3628	3804	{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe	99
PID 3804 wrote to memory of 3628	3804	{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe	99
PID 3804 wrote to memory of 3628	3804	{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe	99
PID 3804 wrote to memory of 4408	3804	{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe	100
PID 3804 wrote to memory of 4408	3804	{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe	100
PID 3804 wrote to memory of 4408	3804	{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe	100
PID 3628 wrote to memory of 5116	3628	{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe	102
PID 3628 wrote to memory of 5116	3628	{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe	102
PID 3628 wrote to memory of 5116	3628	{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe	102
PID 3628 wrote to memory of 3696	3628	{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe	103
PID 3628 wrote to memory of 3696	3628	{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe	103
PID 3628 wrote to memory of 3696	3628	{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe	103
PID 5116 wrote to memory of 896	5116	{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe	104
PID 5116 wrote to memory of 896	5116	{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe	104
PID 5116 wrote to memory of 896	5116	{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe	104
PID 5116 wrote to memory of 364	5116	{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe	105
PID 5116 wrote to memory of 364	5116	{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe	105
PID 5116 wrote to memory of 364	5116	{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe	105
PID 896 wrote to memory of 4316	896	{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe	106
PID 896 wrote to memory of 4316	896	{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe	106
PID 896 wrote to memory of 4316	896	{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe	106
PID 896 wrote to memory of 4436	896	{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe	107
PID 896 wrote to memory of 4436	896	{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe	107
PID 896 wrote to memory of 4436	896	{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe	107
PID 4316 wrote to memory of 3584	4316	{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe	108
PID 4316 wrote to memory of 3584	4316	{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe	108
PID 4316 wrote to memory of 3584	4316	{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe	108
PID 4316 wrote to memory of 4932	4316	{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe	109
PID 4316 wrote to memory of 4932	4316	{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe	109
PID 4316 wrote to memory of 4932	4316	{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe	109
PID 3584 wrote to memory of 788	3584	{8F823246-5282-408c-8791-22307867B233}.exe	110
PID 3584 wrote to memory of 788	3584	{8F823246-5282-408c-8791-22307867B233}.exe	110
PID 3584 wrote to memory of 788	3584	{8F823246-5282-408c-8791-22307867B233}.exe	110
PID 3584 wrote to memory of 2692	3584	{8F823246-5282-408c-8791-22307867B233}.exe	111
PID 3584 wrote to memory of 2692	3584	{8F823246-5282-408c-8791-22307867B233}.exe	111
PID 3584 wrote to memory of 2692	3584	{8F823246-5282-408c-8791-22307867B233}.exe	111
PID 788 wrote to memory of 828	788	{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe	112
PID 788 wrote to memory of 828	788	{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe	112
PID 788 wrote to memory of 828	788	{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe	112
PID 788 wrote to memory of 1800	788	{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe	113
PID 788 wrote to memory of 1800	788	{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe	113
PID 788 wrote to memory of 1800	788	{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe	113

C:\Users\Admin\AppData\Local\Temp\8ad7c478eb2c72d59d73992bb1a18400N.exe
"C:\Users\Admin\AppData\Local\Temp\8ad7c478eb2c72d59d73992bb1a18400N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe
  C:\Windows\{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe
    C:\Windows\{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe
      C:\Windows\{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3628
    - - C:\Windows\{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe
        
        C:\Windows\{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Windows\{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe
        
        C:\Windows\{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe
        
        C:\Windows\{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\{8F823246-5282-408c-8791-22307867B233}.exe
        
        C:\Windows\{8F823246-5282-408c-8791-22307867B233}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe
        
        C:\Windows\{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\{AF4864B3-04F9-492a-9D2C-829C2BF76974}.exe
        
        C:\Windows\{AF4864B3-04F9-492a-9D2C-829C2BF76974}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29265~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F823~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5725~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79EAE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D016~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1BAD~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{20669~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CE501~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8AD7C4~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D016C39-1A35-4c74-9DFF-9938D4D940A5}.exe

Filesize
408KB

MD5
fb37929c53fb1e662b8e8c695228d6d2

SHA1
1bd4e23bba0bcb3ef21880143ac3debcf8c939c0

SHA256
9324a508981f58ddb96fd91fe252cdd991ff6a68a847c78c1e48c01b9a1fcb8d

SHA512
b4a180e6d27e2e8033b34eae2025d3062f8c676937ef6084bab885916b99bfb706fda9194191e61e0a2233ddfb0301b7cfe277a123da4f9d231af4a90af48c9f

Download Submit
C:\Windows\{20669C2D-D506-4adc-8B49-7C1CAF795B9B}.exe

Filesize
408KB

MD5
85d2b47c18e8e81a562f2011a70ef9d8

SHA1
106ac3662af4629286482bfd38c07df89a2faebf

SHA256
7d74f20d91543fba6594fe1d62c7b4472b8a9f4147cffcfc896c899cde6b1cdf

SHA512
931c3361d6821da33a3e961ad27f2e41bf9ba9fc587bdcbf03edcba419c61ad8703917537661d1901ce34bb78057d3ab28818d16bfbef601acbe46c889f726ff

Download Submit
C:\Windows\{29265FE7-E042-4ca9-94E3-815E2C1343A8}.exe

Filesize
408KB

MD5
6b20c9f9ba5f2f4725e5f5f8e4bb39e6

SHA1
d6ab63beb258c3652a7a45dac5d1f80d27d8899e

SHA256
36953770af95ffe9532f1df0864f4a4defb1b8dad386cebbdb6bd4e145f2a9e7

SHA512
7cc1c35fa89f8d93ff79be4c262ac0348d6d0bc91d2c2a7683791c1867298993803bfd96163118f312d23cf70c855b3c78a59e61a3dcade818254e8781b5ffb6

Download Submit
C:\Windows\{79EAEBB8-938C-47ac-AB5B-481F950A50A9}.exe

Filesize
408KB

MD5
61d91e1e66f1811edffbaf89d94bdc66

SHA1
94cb14879558854e60016421aa31683819a8bf01

SHA256
a8416da03575027a3cc7daaa649045faf645a8d594679c3935cd13568b9b0f36

SHA512
1f6ddf010804d44b44336dcbfd0881928383bbc6bca84076244185d76ee4aece8a2c6508913790434c1b101ed448df30eee0d8a25dce4829fd4a3f7b4ffe7fef

Download Submit
C:\Windows\{8F823246-5282-408c-8791-22307867B233}.exe

Filesize
408KB

MD5
760227bd0808c86efd736d3e3b457af8

SHA1
92aca42386f08483c103e42b3dd086f5c0b1014c

SHA256
c2941e97c7596ce269867773ceb789918d8de4529c09265b33693bfad9fb9bc9

SHA512
b571cb40e85c15cc5ba364a399803ba0e29c4510aaadb4592e06b128c3a46311c538f570a5e6c1b9fdda002237207f713861948169f7dadae85b9c9f351e2d1a

Download Submit
C:\Windows\{A5725A6F-146C-4546-9CE9-EF8B61D01129}.exe

Filesize
408KB

MD5
58afd45dc4c3d61dfb89544ef10685b3

SHA1
3dab4c09bd0efc09c2c6e4402a54c0720abde2d7

SHA256
f166524a74732406a91a5aeab50da37b550818d7eb92fe059f9be2e6c3914ba3

SHA512
258a2497599c35de2f9284c80bb3dfa7fd55e90a2eb25d5c9bf84718aaf90ab2e57ee1e21ffe403185e17c5fa9c9bac33933a1a6a1f378e6f891374d1f880d8b

Download Submit
C:\Windows\{AF4864B3-04F9-492a-9D2C-829C2BF76974}.exe

Filesize
408KB

MD5
a88b73a7a0b07456b82d3a3769e68b78

SHA1
978cef53ae1b97d4f4cbfcdd391f26e2511de52d

SHA256
76dc1a1d8ddecad6af51b9e959c25e0df4e714bb8f5782f4e8a5b2c2cac73f5b

SHA512
984b688c7fa268a6f98afdcce53db8c47141151e73ee30d9273bf18a9ace5e183191a09cecb187d7e6270adcdcddab0c34898e525e74c250c96dfc0e6b5c5a81

Download Submit
C:\Windows\{CE501C74-1A61-427d-9710-AB7CB22F7AD0}.exe

Filesize
408KB

MD5
9fd6b19e0189708ed84ebd47ccd4ab48

SHA1
3e7b7ed6ae0a2c98e42eda2291b9c64b54a1e997

SHA256
f5ec77bb84d391b4a70a16a530f5777bb17f79379e62005ed5f8e80513c32111

SHA512
0d9e3dc31d9bcc9d8f2e1d6655de77862c27aae1070c12948929da63d0fdd13cc3c6f75fd1994ce3fe2170f5aca58e363d546f2bd3642f84fd77dc038f62943b

Download Submit
C:\Windows\{F1BADEF5-E45D-4251-888A-D9991F642ABD}.exe

Filesize
408KB

MD5
19446586e78d8be009cffc878332fdf4

SHA1
8d24eeade93fe1df221f407dd45811421a4e2eb5

SHA256
5f16ac4647e6d8f12b14662363dd9e2dbb01d41134048db41b6c09061a8a0cdd

SHA512
4cce7cfbe0977d28520ca4d3aad91625a0de15bcf3d086825e3c89430081f3dffe6d244c9e56152fde808ccd52e49a36b341b084d976fde21ff445c673d44e25

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads