c997248d209099857eab392114e42f641856b7a7aea80208f22d6f2391293057

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b44bec18ecf756262d7967fa256cb7f0N.exe
Size

76KB
MD5

b44bec18ecf756262d7967fa256cb7f0
SHA1

9b10194120a58556211b89a17cea6e1c8ce7dcbe
SHA256

c997248d209099857eab392114e42f641856b7a7aea80208f22d6f2391293057
SHA512

b8c7142ba3b3c985fbb48c2bca3a96275a34320bc7c4dc670fabda89b36a3f30efce311662a2b09a24cf92d54d978109d71db98bcbcbc60a36d62dfdf8c3f643
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroaL4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwU1:vvw9816vhKQLroaL4/wQRNrfrunMxVD

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3EE705E-C0D6-46e1-AEB0-11CF91358086}\stubpath = "C:\\Windows\\{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe"	{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D0130E2-44B7-4ded-8A05-74A7EE81C774}	{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}\stubpath = "C:\\Windows\\{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe"	{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D828D7C0-FAD6-482f-BB0F-D6538EADF68E}\stubpath = "C:\\Windows\\{D828D7C0-FAD6-482f-BB0F-D6538EADF68E}.exe"	{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}\stubpath = "C:\\Windows\\{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe"	{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66553689-62D9-4aa2-9095-64D4AC9730BE}	{D38E413C-C294-4dfb-B506-F661479187CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66553689-62D9-4aa2-9095-64D4AC9730BE}\stubpath = "C:\\Windows\\{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe"	{D38E413C-C294-4dfb-B506-F661479187CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}	{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5A49B96-F809-43eb-A283-7D6A6928E242}	{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5A49B96-F809-43eb-A283-7D6A6928E242}\stubpath = "C:\\Windows\\{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe"	{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D0130E2-44B7-4ded-8A05-74A7EE81C774}\stubpath = "C:\\Windows\\{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe"	{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}	{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D38E413C-C294-4dfb-B506-F661479187CE}\stubpath = "C:\\Windows\\{D38E413C-C294-4dfb-B506-F661479187CE}.exe"	b44bec18ecf756262d7967fa256cb7f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}\stubpath = "C:\\Windows\\{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe"	{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}	{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3EE705E-C0D6-46e1-AEB0-11CF91358086}	{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D828D7C0-FAD6-482f-BB0F-D6538EADF68E}	{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D38E413C-C294-4dfb-B506-F661479187CE}	b44bec18ecf756262d7967fa256cb7f0N.exe

Executes dropped EXE 9 IoCs

pid	Process
1000	{D38E413C-C294-4dfb-B506-F661479187CE}.exe
1772	{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe
2452	{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe
3008	{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe
1572	{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe
2424	{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe
1740	{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe
544	{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe
2100	{D828D7C0-FAD6-482f-BB0F-D6538EADF68E}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe	{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe
File created	C:\Windows\{D828D7C0-FAD6-482f-BB0F-D6538EADF68E}.exe	{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe
File created	C:\Windows\{D38E413C-C294-4dfb-B506-F661479187CE}.exe	b44bec18ecf756262d7967fa256cb7f0N.exe
File created	C:\Windows\{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe	{D38E413C-C294-4dfb-B506-F661479187CE}.exe
File created	C:\Windows\{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe	{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe
File created	C:\Windows\{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe	{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe
File created	C:\Windows\{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe	{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe
File created	C:\Windows\{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe	{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe
File created	C:\Windows\{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe	{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D828D7C0-FAD6-482f-BB0F-D6538EADF68E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D38E413C-C294-4dfb-B506-F661479187CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b44bec18ecf756262d7967fa256cb7f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2608	b44bec18ecf756262d7967fa256cb7f0N.exe
Token: SeIncBasePriorityPrivilege	1000	{D38E413C-C294-4dfb-B506-F661479187CE}.exe
Token: SeIncBasePriorityPrivilege	1772	{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe
Token: SeIncBasePriorityPrivilege	2452	{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe
Token: SeIncBasePriorityPrivilege	3008	{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe
Token: SeIncBasePriorityPrivilege	1572	{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe
Token: SeIncBasePriorityPrivilege	2424	{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe
Token: SeIncBasePriorityPrivilege	1740	{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe
Token: SeIncBasePriorityPrivilege	544	{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 1000	2608	b44bec18ecf756262d7967fa256cb7f0N.exe	94
PID 2608 wrote to memory of 1000	2608	b44bec18ecf756262d7967fa256cb7f0N.exe	94
PID 2608 wrote to memory of 1000	2608	b44bec18ecf756262d7967fa256cb7f0N.exe	94
PID 2608 wrote to memory of 664	2608	b44bec18ecf756262d7967fa256cb7f0N.exe	95
PID 2608 wrote to memory of 664	2608	b44bec18ecf756262d7967fa256cb7f0N.exe	95
PID 2608 wrote to memory of 664	2608	b44bec18ecf756262d7967fa256cb7f0N.exe	95
PID 1000 wrote to memory of 1772	1000	{D38E413C-C294-4dfb-B506-F661479187CE}.exe	96
PID 1000 wrote to memory of 1772	1000	{D38E413C-C294-4dfb-B506-F661479187CE}.exe	96
PID 1000 wrote to memory of 1772	1000	{D38E413C-C294-4dfb-B506-F661479187CE}.exe	96
PID 1000 wrote to memory of 3956	1000	{D38E413C-C294-4dfb-B506-F661479187CE}.exe	97
PID 1000 wrote to memory of 3956	1000	{D38E413C-C294-4dfb-B506-F661479187CE}.exe	97
PID 1000 wrote to memory of 3956	1000	{D38E413C-C294-4dfb-B506-F661479187CE}.exe	97
PID 1772 wrote to memory of 2452	1772	{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe	100
PID 1772 wrote to memory of 2452	1772	{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe	100
PID 1772 wrote to memory of 2452	1772	{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe	100
PID 1772 wrote to memory of 1184	1772	{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe	101
PID 1772 wrote to memory of 1184	1772	{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe	101
PID 1772 wrote to memory of 1184	1772	{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe	101
PID 2452 wrote to memory of 3008	2452	{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe	102
PID 2452 wrote to memory of 3008	2452	{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe	102
PID 2452 wrote to memory of 3008	2452	{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe	102
PID 2452 wrote to memory of 3424	2452	{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe	103
PID 2452 wrote to memory of 3424	2452	{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe	103
PID 2452 wrote to memory of 3424	2452	{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe	103
PID 3008 wrote to memory of 1572	3008	{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe	104
PID 3008 wrote to memory of 1572	3008	{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe	104
PID 3008 wrote to memory of 1572	3008	{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe	104
PID 3008 wrote to memory of 4480	3008	{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe	105
PID 3008 wrote to memory of 4480	3008	{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe	105
PID 3008 wrote to memory of 4480	3008	{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe	105
PID 1572 wrote to memory of 2424	1572	{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe	106
PID 1572 wrote to memory of 2424	1572	{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe	106
PID 1572 wrote to memory of 2424	1572	{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe	106
PID 1572 wrote to memory of 1872	1572	{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe	107
PID 1572 wrote to memory of 1872	1572	{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe	107
PID 1572 wrote to memory of 1872	1572	{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe	107
PID 2424 wrote to memory of 1740	2424	{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe	108
PID 2424 wrote to memory of 1740	2424	{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe	108
PID 2424 wrote to memory of 1740	2424	{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe	108
PID 2424 wrote to memory of 3164	2424	{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe	109
PID 2424 wrote to memory of 3164	2424	{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe	109
PID 2424 wrote to memory of 3164	2424	{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe	109
PID 1740 wrote to memory of 544	1740	{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe	110
PID 1740 wrote to memory of 544	1740	{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe	110
PID 1740 wrote to memory of 544	1740	{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe	110
PID 1740 wrote to memory of 1388	1740	{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe	111
PID 1740 wrote to memory of 1388	1740	{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe	111
PID 1740 wrote to memory of 1388	1740	{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe	111
PID 544 wrote to memory of 2100	544	{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe	112
PID 544 wrote to memory of 2100	544	{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe	112
PID 544 wrote to memory of 2100	544	{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe	112
PID 544 wrote to memory of 3212	544	{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe	113
PID 544 wrote to memory of 3212	544	{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe	113
PID 544 wrote to memory of 3212	544	{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe	113

C:\Users\Admin\AppData\Local\Temp\b44bec18ecf756262d7967fa256cb7f0N.exe
"C:\Users\Admin\AppData\Local\Temp\b44bec18ecf756262d7967fa256cb7f0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\{D38E413C-C294-4dfb-B506-F661479187CE}.exe
  C:\Windows\{D38E413C-C294-4dfb-B506-F661479187CE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe
    C:\Windows\{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe
      C:\Windows\{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe
        
        C:\Windows\{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe
        
        C:\Windows\{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe
        
        C:\Windows\{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe
        
        C:\Windows\{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe
        
        C:\Windows\{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{D828D7C0-FAD6-482f-BB0F-D6538EADF68E}.exe
        
        C:\Windows\{D828D7C0-FAD6-482f-BB0F-D6538EADF68E}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE52A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D013~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3EE7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5A49~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE3ED~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0592~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{66553~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D38E4~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B44BEC~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4D0130E2-44B7-4ded-8A05-74A7EE81C774}.exe

Filesize
76KB

MD5
48415dd09247497074e71e8d20fe0bb3

SHA1
774991230c410ab76b8e0a5c7af6beb0d502fd1a

SHA256
1fd50c0201396a47f62d3305aad22389470c3293bae6b698043991ccf2b8c5bb

SHA512
f593f37a11adb0afc8c284f638d715eafad71d5b0d49c3a2b243bd137cc49c5802f834894caecd164e41aba3aa13068c53aee040adc4cb301cbcd5d1c61bcaba

Download Submit
C:\Windows\{66553689-62D9-4aa2-9095-64D4AC9730BE}.exe

Filesize
76KB

MD5
3f6ff1aa10a6a9100e7b0e6c52719f72

SHA1
d5d3b1e652773050f416054b27970f5ceb070516

SHA256
58444a519f47a014f5e3af7f5366f7918c12860c9ef607a25a71fa4c91235183

SHA512
13e75162637357848c20ee6e51c7dbcd77dc17840cd434642b2af42a911197144e4b9970e551cbcbd56fe79526edbef1ef95e3b29508e30f68f525e63b2cea08

Download Submit
C:\Windows\{AE3EDDB7-200D-4488-A4EE-C431AF5E4F2B}.exe

Filesize
76KB

MD5
4cee53ff7d71940fd9d02ce2df46306b

SHA1
211d73717ea2807ff4fbfb7b48350d83c8a9f398

SHA256
8e468bf5d79387d55f000d38cda91891b3007599d242f88bdd3dda9d56224ccc

SHA512
71cd52c2b88e8f97137bc6043c9898ba4993d8a0e1650c6286c84f679406d799117bebbce8c61a1bd37a7086e29b4735819145dd6b4ae727fdc5d59f3fb343fa

Download Submit
C:\Windows\{B5A49B96-F809-43eb-A283-7D6A6928E242}.exe

Filesize
76KB

MD5
fc52118ef8c147c07c4a33e9c26787ef

SHA1
df0147ebc795d9b9e5d19c1ba605b1b29aec9a58

SHA256
0ab0127146daedbace4a29152473d8a7a58725ca7d5488a5004d332b8a062a17

SHA512
c6dc56c056df78f3796a231b0aa6d51ee4342692d8c5720c2de856f13ec25b23044d84f23f6c4c3061f621bbaf9c7e85a643e23baec781b488321dee8d5999bc

Download Submit
C:\Windows\{D38E413C-C294-4dfb-B506-F661479187CE}.exe

Filesize
76KB

MD5
3d94313b750e4a42575c26bb198e7a81

SHA1
2ef11e584c67fa59dafac961b447e2fd4de08d6e

SHA256
9485b87778981b6a200fcd2b3af347074c1dca147c278826c4d447d49abe9a27

SHA512
82e33b5384e8d3332759e4aad52c6c78ff975705f36bbac7ecef5a06b9eb1ffbb2e0148b0c249ddefbb90ba190263412ea7df8691890d7fb7c4839afed90d134

Download Submit
C:\Windows\{D3EE705E-C0D6-46e1-AEB0-11CF91358086}.exe

Filesize
76KB

MD5
c64cbf1a05500499eaf871f4257c07a5

SHA1
105ba3754df334c0150feab855a73de9a412acfe

SHA256
ba5bc369b60a789e5ef37c11a4d8ccc085b240a2093e62bdd563370983585555

SHA512
ab330645df3060073ef4043a1143776c6e0d6d2152bcffd3ce1516c01954e8c7ddda6c1d18a282cd1859d47f559c925b08725ad7726afed5bf870741c4fcc579

Download Submit
C:\Windows\{D828D7C0-FAD6-482f-BB0F-D6538EADF68E}.exe

Filesize
76KB

MD5
a255b71f247f81e2701c355493898f65

SHA1
ea96938ebb34151a57b3dc9be4d78adfa6bf0e93

SHA256
fd34f90a79680d2155f770b7a60fbab8be4b0b7243094160d258674f4c16218a

SHA512
1dd2440828d208a7227c49278c7ef21288d0af113b61c96ac2d0114663423f5614ec4b0c40285d874bbb96786ebd70deac74cc7ecc8445af3ae897c7a136d251

Download Submit
C:\Windows\{DE52ADAE-BC5F-4316-8E4D-C1E4371F3079}.exe

Filesize
76KB

MD5
ce71e5d7f5a5a056c0ec970658f11818

SHA1
f690549aab89e4d5928551cb62c4ba8363e87dd4

SHA256
fb75fc36ba8f5a1986f006db669dbae45575bd33f970cc7b1948014c198829fb

SHA512
59edfef9c6643a333b1a656d7edb139f98651476a26b8bb88bd9f57b61c380e300bc39b408094552f0123d5d8e2efd4d4170e4124e1f52e9e1f3fbc43fe94c8e

Download Submit
C:\Windows\{F0592ACA-2648-49dd-8AEF-4F4D7860DF24}.exe

Filesize
76KB

MD5
907e2d820881fe8cf8fe3dcaf1abf1a0

SHA1
3445dd74b83e914974c37320197bd8d647a34044

SHA256
1a40798fccad10dff7fedbc506aee6b59424a027526f1a6ac6aef77ff1b69348

SHA512
75003752f1a243fb94c08c00f4a7d1b8d3a638dfb560de7b524dd9541e1221b77fc1340993e601d2d72b05e8d08ae3043530d5cbf0bf537617fdb52113637a1e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads