d9e03f1e7dad657ca9d3c6e92f95cf6e0b332344e0e47efc64d4a4f199185f0a

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86ec7a53400630c447c5ef88d42a2320N.exe
Size

91KB
MD5

86ec7a53400630c447c5ef88d42a2320
SHA1

f0801a56a40e3b73a6f813403de7baf296ccadbf
SHA256

d9e03f1e7dad657ca9d3c6e92f95cf6e0b332344e0e47efc64d4a4f199185f0a
SHA512

bdaef2fe9ed064f8473372804eb07bf1b06cf050d613eafe1ae9ef9686ea6c9764160627fb7124f7897276d83c915fc09f876ceb76c5ad6132cf6bd3e7c3d761
SSDEEP

768:5vw9816uhKiro74/wQNNrfrunMxVFA3b7t:lEGkmo7lCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E87AFE11-CFC5-4fcf-A92C-C1E511DD8439}\stubpath = "C:\\Windows\\{E87AFE11-CFC5-4fcf-A92C-C1E511DD8439}.exe"	{033B3CE3-93C4-4435-B18E-1051DA6F438C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3FB789D-C894-4836-84AB-6928925ABD29}	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1481116F-D3E0-43a2-8554-9B67FE150ABE}\stubpath = "C:\\Windows\\{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe"	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C03B70EE-4629-4c0a-B98F-3DAC56259D86}	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D93F213C-AAE8-48ad-B021-2E21173902E0}	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D93F213C-AAE8-48ad-B021-2E21173902E0}\stubpath = "C:\\Windows\\{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe"	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{033B3CE3-93C4-4435-B18E-1051DA6F438C}	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E87AFE11-CFC5-4fcf-A92C-C1E511DD8439}	{033B3CE3-93C4-4435-B18E-1051DA6F438C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3FB789D-C894-4836-84AB-6928925ABD29}\stubpath = "C:\\Windows\\{F3FB789D-C894-4836-84AB-6928925ABD29}.exe"	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}\stubpath = "C:\\Windows\\{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe"	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1481116F-D3E0-43a2-8554-9B67FE150ABE}	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C03B70EE-4629-4c0a-B98F-3DAC56259D86}\stubpath = "C:\\Windows\\{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe"	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{033B3CE3-93C4-4435-B18E-1051DA6F438C}\stubpath = "C:\\Windows\\{033B3CE3-93C4-4435-B18E-1051DA6F438C}.exe"	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}	86ec7a53400630c447c5ef88d42a2320N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6F94B6-2657-4a33-A9C9-2537406A6D09}	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}\stubpath = "C:\\Windows\\{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe"	86ec7a53400630c447c5ef88d42a2320N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6F94B6-2657-4a33-A9C9-2537406A6D09}\stubpath = "C:\\Windows\\{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe"	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2728	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe
2700	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe
2596	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe
860	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe
2812	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe
272	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe
1036	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe
2208	{033B3CE3-93C4-4435-B18E-1051DA6F438C}.exe
1060	{E87AFE11-CFC5-4fcf-A92C-C1E511DD8439}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe
File created	C:\Windows\{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe
File created	C:\Windows\{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe	86ec7a53400630c447c5ef88d42a2320N.exe
File created	C:\Windows\{F3FB789D-C894-4836-84AB-6928925ABD29}.exe	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe
File created	C:\Windows\{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe
File created	C:\Windows\{E87AFE11-CFC5-4fcf-A92C-C1E511DD8439}.exe	{033B3CE3-93C4-4435-B18E-1051DA6F438C}.exe
File created	C:\Windows\{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe
File created	C:\Windows\{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe
File created	C:\Windows\{033B3CE3-93C4-4435-B18E-1051DA6F438C}.exe	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86ec7a53400630c447c5ef88d42a2320N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E87AFE11-CFC5-4fcf-A92C-C1E511DD8439}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{033B3CE3-93C4-4435-B18E-1051DA6F438C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2616	86ec7a53400630c447c5ef88d42a2320N.exe
Token: SeIncBasePriorityPrivilege	2728	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe
Token: SeIncBasePriorityPrivilege	2700	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe
Token: SeIncBasePriorityPrivilege	2596	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe
Token: SeIncBasePriorityPrivilege	860	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe
Token: SeIncBasePriorityPrivilege	2812	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe
Token: SeIncBasePriorityPrivilege	272	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe
Token: SeIncBasePriorityPrivilege	1036	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe
Token: SeIncBasePriorityPrivilege	2208	{033B3CE3-93C4-4435-B18E-1051DA6F438C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2728	2616	86ec7a53400630c447c5ef88d42a2320N.exe	30
PID 2616 wrote to memory of 2728	2616	86ec7a53400630c447c5ef88d42a2320N.exe	30
PID 2616 wrote to memory of 2728	2616	86ec7a53400630c447c5ef88d42a2320N.exe	30
PID 2616 wrote to memory of 2728	2616	86ec7a53400630c447c5ef88d42a2320N.exe	30
PID 2616 wrote to memory of 2676	2616	86ec7a53400630c447c5ef88d42a2320N.exe	31
PID 2616 wrote to memory of 2676	2616	86ec7a53400630c447c5ef88d42a2320N.exe	31
PID 2616 wrote to memory of 2676	2616	86ec7a53400630c447c5ef88d42a2320N.exe	31
PID 2616 wrote to memory of 2676	2616	86ec7a53400630c447c5ef88d42a2320N.exe	31
PID 2728 wrote to memory of 2700	2728	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe	32
PID 2728 wrote to memory of 2700	2728	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe	32
PID 2728 wrote to memory of 2700	2728	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe	32
PID 2728 wrote to memory of 2700	2728	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe	32
PID 2728 wrote to memory of 2688	2728	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe	33
PID 2728 wrote to memory of 2688	2728	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe	33
PID 2728 wrote to memory of 2688	2728	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe	33
PID 2728 wrote to memory of 2688	2728	{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe	33
PID 2700 wrote to memory of 2596	2700	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe	34
PID 2700 wrote to memory of 2596	2700	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe	34
PID 2700 wrote to memory of 2596	2700	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe	34
PID 2700 wrote to memory of 2596	2700	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe	34
PID 2700 wrote to memory of 2980	2700	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe	35
PID 2700 wrote to memory of 2980	2700	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe	35
PID 2700 wrote to memory of 2980	2700	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe	35
PID 2700 wrote to memory of 2980	2700	{F3FB789D-C894-4836-84AB-6928925ABD29}.exe	35
PID 2596 wrote to memory of 860	2596	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe	36
PID 2596 wrote to memory of 860	2596	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe	36
PID 2596 wrote to memory of 860	2596	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe	36
PID 2596 wrote to memory of 860	2596	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe	36
PID 2596 wrote to memory of 2408	2596	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe	37
PID 2596 wrote to memory of 2408	2596	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe	37
PID 2596 wrote to memory of 2408	2596	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe	37
PID 2596 wrote to memory of 2408	2596	{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe	37
PID 860 wrote to memory of 2812	860	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe	38
PID 860 wrote to memory of 2812	860	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe	38
PID 860 wrote to memory of 2812	860	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe	38
PID 860 wrote to memory of 2812	860	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe	38
PID 860 wrote to memory of 2132	860	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe	39
PID 860 wrote to memory of 2132	860	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe	39
PID 860 wrote to memory of 2132	860	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe	39
PID 860 wrote to memory of 2132	860	{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe	39
PID 2812 wrote to memory of 272	2812	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe	41
PID 2812 wrote to memory of 272	2812	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe	41
PID 2812 wrote to memory of 272	2812	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe	41
PID 2812 wrote to memory of 272	2812	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe	41
PID 2812 wrote to memory of 2972	2812	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe	42
PID 2812 wrote to memory of 2972	2812	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe	42
PID 2812 wrote to memory of 2972	2812	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe	42
PID 2812 wrote to memory of 2972	2812	{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe	42
PID 272 wrote to memory of 1036	272	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe	43
PID 272 wrote to memory of 1036	272	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe	43
PID 272 wrote to memory of 1036	272	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe	43
PID 272 wrote to memory of 1036	272	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe	43
PID 272 wrote to memory of 2368	272	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe	44
PID 272 wrote to memory of 2368	272	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe	44
PID 272 wrote to memory of 2368	272	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe	44
PID 272 wrote to memory of 2368	272	{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe	44
PID 1036 wrote to memory of 2208	1036	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe	45
PID 1036 wrote to memory of 2208	1036	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe	45
PID 1036 wrote to memory of 2208	1036	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe	45
PID 1036 wrote to memory of 2208	1036	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe	45
PID 1036 wrote to memory of 2236	1036	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe	46
PID 1036 wrote to memory of 2236	1036	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe	46
PID 1036 wrote to memory of 2236	1036	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe	46
PID 1036 wrote to memory of 2236	1036	{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe	46

C:\Users\Admin\AppData\Local\Temp\86ec7a53400630c447c5ef88d42a2320N.exe
"C:\Users\Admin\AppData\Local\Temp\86ec7a53400630c447c5ef88d42a2320N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe
  C:\Windows\{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\{F3FB789D-C894-4836-84AB-6928925ABD29}.exe
    C:\Windows\{F3FB789D-C894-4836-84AB-6928925ABD29}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe
      C:\Windows\{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe
        
        C:\Windows\{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:860
      - C:\Windows\{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe
        
        C:\Windows\{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe
        
        C:\Windows\{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        C:\Windows\{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe
        
        C:\Windows\{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\{033B3CE3-93C4-4435-B18E-1051DA6F438C}.exe
        
        C:\Windows\{033B3CE3-93C4-4435-B18E-1051DA6F438C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\{E87AFE11-CFC5-4fcf-A92C-C1E511DD8439}.exe
        
        C:\Windows\{E87AFE11-CFC5-4fcf-A92C-C1E511DD8439}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{033B3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D93F2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C03B7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14811~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA6F9~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACACF~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F3FB7~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4EC03~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\86EC7A~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{033B3CE3-93C4-4435-B18E-1051DA6F438C}.exe

Filesize
91KB

MD5
5f4bc025c237e9605a004d6b88d4ef4d

SHA1
378d84075903189869a97dd9c5c6ed43d4b3d840

SHA256
c5c28033d58983e8445b56c59d552dfab6bff3f02af16a8b3f557cf9806ec536

SHA512
97e05d38101af6c935a3f5af7cd291698ca52153bab5f66fa25a231a016f6ea40911ff9cd3f6badb4e8489e2ae546010bcfa69c8559e1d8007e6f1847fda9ad3

Download Submit
C:\Windows\{1481116F-D3E0-43a2-8554-9B67FE150ABE}.exe

Filesize
91KB

MD5
fc74255e61e3ec8bdaa28ec3782ed7a6

SHA1
6bc198dd769091266e7668ad6cee2ea2e569baa7

SHA256
47ae20188ed5e3cf3b2b58500d5e3ef9491b0eba8546ba98439531ab2935390a

SHA512
f1b5a6a18a850802617be65e1abe84eaa60d15f0a71522e26e2d074c49fc90476deeff227826fa14aec69ead5e11392488c86205fe1c2b0c3516eb2666ad75ad

Download Submit
C:\Windows\{4EC03203-B28E-46b7-8C73-3C4AE9AA25A2}.exe

Filesize
91KB

MD5
66ed3f1e6bfa1cf1d77b85e4d74dec09

SHA1
6cfd529f0bcdbf5093e26a71dd2219888731046b

SHA256
70d8b5209531d0dedf7b8d8aaddb0e0b9c998850b56670e074fed62f36a5e42d

SHA512
b988f30d8a7489a5793f94c521c632154375ccb4eca056ba93f3e04b56a995900197b14d86ff2e5e5b820e45e1a5e643d97a787cdf70168f0b2b05d4159dc215

Download Submit
C:\Windows\{ACACFC56-DC87-429f-864E-9F4BCBBC0C3C}.exe

Filesize
91KB

MD5
8965f44b218941608d4e868e7b320c98

SHA1
8caba195416893a7b8662934291abb9fe77755e3

SHA256
abac43a2bae9bca00ff421885586bc05a2680f72aef687e50edc738503d108f6

SHA512
949005956e259c6c5cae4f4013ae9a6b3e2b998796352301c4afa5be3b8234400b89d96b1aeebff4f875e78d26c917dad9413e3112b46514ba2284f3a0cf4a56

Download Submit
C:\Windows\{C03B70EE-4629-4c0a-B98F-3DAC56259D86}.exe

Filesize
91KB

MD5
0587969c8222cd5e31909a52881b2504

SHA1
919ec67dadc822ad276d80e98c10748ef9f5d87c

SHA256
18f8a2e7dc009cd6fd90954a4abd4929d518c30bd9ff4a35a0b5af40266d7fff

SHA512
e774e6fba00e702f9120daa8730492d75e5206ee80ebd2ca4dd134906b270d023ec7d728797e27b2459e6f2af87ede734ba6aca6d5f02d5955b15e110e4e78c0

Download Submit
C:\Windows\{D93F213C-AAE8-48ad-B021-2E21173902E0}.exe

Filesize
91KB

MD5
2970bb0499456aee735edb817d2c17d6

SHA1
e53c5e45bff560647593bdcc38de9624503ee69b

SHA256
9f4c32d70c7ab6656d02558e7762d971f5563b21adeaf09b78aa913970620ca7

SHA512
0d165018f2dde5600e8b988a26a37ff040b7c55837617a2f35cd07200897819c1aa511ccac64b3d3fd8e52f4e616fb7664f5c954c818cb8cc0ec1b3a2d4ab846

Download Submit
C:\Windows\{E87AFE11-CFC5-4fcf-A92C-C1E511DD8439}.exe

Filesize
91KB

MD5
b0d265ea41b4c641c167edff885e0a32

SHA1
b2c270d29e51d7d6c3bfcd79a4cd0050ee297cdc

SHA256
d7a5a970b4fe81437c988a69c29880a934dccece095f8418425cabf6bad33ce7

SHA512
ac534ba22976425ff3318933d57d3b99f0da06590e174ea4b68ad19af7e96a0130a5c19d18f284545704f4fa050759012d034335d2b0d62b45c3038afb281a19

Download Submit
C:\Windows\{F3FB789D-C894-4836-84AB-6928925ABD29}.exe

Filesize
91KB

MD5
5c12b6fde2df9f40729738653ad08b76

SHA1
d013e8bec4720145c09d22c17eaff6e4eaa9aaed

SHA256
38fb8821fd92f77d2c4bc02e4f853661ab48ebdcefb500657d8327b3aaab91ae

SHA512
0bf41511e9afabae088a27d3011e0b8cc4c966af9f9e4ab4385397796f740aae5d88eb338edf1b129138fb7d55ccde5e839a48cdb258c3073f6587a6c4bd7dbb

Download Submit
C:\Windows\{FA6F94B6-2657-4a33-A9C9-2537406A6D09}.exe

Filesize
91KB

MD5
082a654958b912d1d99df17c3d42e63c

SHA1
a98c9a02bb85137fe21644b3a06134ac861df0b4

SHA256
5602ea40c51bb6230013bcb1b21d6c6f4fe67aa8687da5028c98a240ffa7885c

SHA512
0e93ef7a258c52061948eb1c72322b3d939bf2964e1cd7ecb8cc49c98318acdf045e9941f8c0935c1fd00250d5b23f4eddb1a45702527c78d221f2a5df21f10c

Download Submit
memory/272-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/272-66-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/272-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/860-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/860-51-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/860-44-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/860-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1036-75-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/1036-81-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1036-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2208-84-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2208-90-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2596-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2596-33-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/2596-35-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/2616-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-3-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2616-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2700-23-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2700-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2700-26-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2700-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2728-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2728-12-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/2812-62-0x0000000001E40000-0x0000000001E51000-memory.dmp

Filesize
68KB

Download
memory/2812-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2812-55-0x0000000001E40000-0x0000000001E51000-memory.dmp

Filesize
68KB

Download
memory/2812-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads