d9e03f1e7dad657ca9d3c6e92f95cf6e0b332344e0e47efc64d4a4f199185f0a

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 03:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

86ec7a53400630c447c5ef88d42a2320N.exe
Size

91KB
MD5

86ec7a53400630c447c5ef88d42a2320
SHA1

f0801a56a40e3b73a6f813403de7baf296ccadbf
SHA256

d9e03f1e7dad657ca9d3c6e92f95cf6e0b332344e0e47efc64d4a4f199185f0a
SHA512

bdaef2fe9ed064f8473372804eb07bf1b06cf050d613eafe1ae9ef9686ea6c9764160627fb7124f7897276d83c915fc09f876ceb76c5ad6132cf6bd3e7c3d761
SSDEEP

768:5vw9816uhKiro74/wQNNrfrunMxVFA3b7t:lEGkmo7lCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1425A90-0505-4ae7-A534-DD0AA55ACB22}	{85033313-5A52-4c1e-BC77-4226316E7140}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49E8816D-9DF1-4729-B371-720002432F84}\stubpath = "C:\\Windows\\{49E8816D-9DF1-4729-B371-720002432F84}.exe"	{00ABF1B5-B324-4221-8180-5F115759810B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D290841-C907-4ee5-92B7-9272A159F296}\stubpath = "C:\\Windows\\{3D290841-C907-4ee5-92B7-9272A159F296}.exe"	{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49E8816D-9DF1-4729-B371-720002432F84}	{00ABF1B5-B324-4221-8180-5F115759810B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}\stubpath = "C:\\Windows\\{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe"	{49E8816D-9DF1-4729-B371-720002432F84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}	{3D290841-C907-4ee5-92B7-9272A159F296}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85033313-5A52-4c1e-BC77-4226316E7140}	86ec7a53400630c447c5ef88d42a2320N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85033313-5A52-4c1e-BC77-4226316E7140}\stubpath = "C:\\Windows\\{85033313-5A52-4c1e-BC77-4226316E7140}.exe"	86ec7a53400630c447c5ef88d42a2320N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}	{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}\stubpath = "C:\\Windows\\{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe"	{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00ABF1B5-B324-4221-8180-5F115759810B}\stubpath = "C:\\Windows\\{00ABF1B5-B324-4221-8180-5F115759810B}.exe"	{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}\stubpath = "C:\\Windows\\{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe"	{3D290841-C907-4ee5-92B7-9272A159F296}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00ABF1B5-B324-4221-8180-5F115759810B}	{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D290841-C907-4ee5-92B7-9272A159F296}	{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC218A54-9E4F-4229-B8EC-9F02D176EAFB}	{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC218A54-9E4F-4229-B8EC-9F02D176EAFB}\stubpath = "C:\\Windows\\{EC218A54-9E4F-4229-B8EC-9F02D176EAFB}.exe"	{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1425A90-0505-4ae7-A534-DD0AA55ACB22}\stubpath = "C:\\Windows\\{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe"	{85033313-5A52-4c1e-BC77-4226316E7140}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}	{49E8816D-9DF1-4729-B371-720002432F84}.exe

Executes dropped EXE 9 IoCs

pid	Process
4428	{85033313-5A52-4c1e-BC77-4226316E7140}.exe
440	{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe
4228	{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe
624	{00ABF1B5-B324-4221-8180-5F115759810B}.exe
3764	{49E8816D-9DF1-4729-B371-720002432F84}.exe
4116	{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe
3348	{3D290841-C907-4ee5-92B7-9272A159F296}.exe
2320	{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe
2564	{EC218A54-9E4F-4229-B8EC-9F02D176EAFB}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe	{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe
File created	C:\Windows\{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe	{49E8816D-9DF1-4729-B371-720002432F84}.exe
File created	C:\Windows\{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe	{3D290841-C907-4ee5-92B7-9272A159F296}.exe
File created	C:\Windows\{49E8816D-9DF1-4729-B371-720002432F84}.exe	{00ABF1B5-B324-4221-8180-5F115759810B}.exe
File created	C:\Windows\{3D290841-C907-4ee5-92B7-9272A159F296}.exe	{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe
File created	C:\Windows\{EC218A54-9E4F-4229-B8EC-9F02D176EAFB}.exe	{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe
File created	C:\Windows\{85033313-5A52-4c1e-BC77-4226316E7140}.exe	86ec7a53400630c447c5ef88d42a2320N.exe
File created	C:\Windows\{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe	{85033313-5A52-4c1e-BC77-4226316E7140}.exe
File created	C:\Windows\{00ABF1B5-B324-4221-8180-5F115759810B}.exe	{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{85033313-5A52-4c1e-BC77-4226316E7140}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{49E8816D-9DF1-4729-B371-720002432F84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D290841-C907-4ee5-92B7-9272A159F296}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EC218A54-9E4F-4229-B8EC-9F02D176EAFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86ec7a53400630c447c5ef88d42a2320N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{00ABF1B5-B324-4221-8180-5F115759810B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3480	86ec7a53400630c447c5ef88d42a2320N.exe
Token: SeIncBasePriorityPrivilege	4428	{85033313-5A52-4c1e-BC77-4226316E7140}.exe
Token: SeIncBasePriorityPrivilege	440	{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe
Token: SeIncBasePriorityPrivilege	4228	{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe
Token: SeIncBasePriorityPrivilege	624	{00ABF1B5-B324-4221-8180-5F115759810B}.exe
Token: SeIncBasePriorityPrivilege	3764	{49E8816D-9DF1-4729-B371-720002432F84}.exe
Token: SeIncBasePriorityPrivilege	4116	{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe
Token: SeIncBasePriorityPrivilege	3348	{3D290841-C907-4ee5-92B7-9272A159F296}.exe
Token: SeIncBasePriorityPrivilege	2320	{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 4428	3480	86ec7a53400630c447c5ef88d42a2320N.exe	94
PID 3480 wrote to memory of 4428	3480	86ec7a53400630c447c5ef88d42a2320N.exe	94
PID 3480 wrote to memory of 4428	3480	86ec7a53400630c447c5ef88d42a2320N.exe	94
PID 3480 wrote to memory of 4200	3480	86ec7a53400630c447c5ef88d42a2320N.exe	95
PID 3480 wrote to memory of 4200	3480	86ec7a53400630c447c5ef88d42a2320N.exe	95
PID 3480 wrote to memory of 4200	3480	86ec7a53400630c447c5ef88d42a2320N.exe	95
PID 4428 wrote to memory of 440	4428	{85033313-5A52-4c1e-BC77-4226316E7140}.exe	96
PID 4428 wrote to memory of 440	4428	{85033313-5A52-4c1e-BC77-4226316E7140}.exe	96
PID 4428 wrote to memory of 440	4428	{85033313-5A52-4c1e-BC77-4226316E7140}.exe	96
PID 4428 wrote to memory of 2644	4428	{85033313-5A52-4c1e-BC77-4226316E7140}.exe	97
PID 4428 wrote to memory of 2644	4428	{85033313-5A52-4c1e-BC77-4226316E7140}.exe	97
PID 4428 wrote to memory of 2644	4428	{85033313-5A52-4c1e-BC77-4226316E7140}.exe	97
PID 440 wrote to memory of 4228	440	{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe	100
PID 440 wrote to memory of 4228	440	{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe	100
PID 440 wrote to memory of 4228	440	{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe	100
PID 440 wrote to memory of 1536	440	{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe	101
PID 440 wrote to memory of 1536	440	{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe	101
PID 440 wrote to memory of 1536	440	{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe	101
PID 4228 wrote to memory of 624	4228	{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe	102
PID 4228 wrote to memory of 624	4228	{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe	102
PID 4228 wrote to memory of 624	4228	{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe	102
PID 4228 wrote to memory of 3760	4228	{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe	103
PID 4228 wrote to memory of 3760	4228	{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe	103
PID 4228 wrote to memory of 3760	4228	{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe	103
PID 624 wrote to memory of 3764	624	{00ABF1B5-B324-4221-8180-5F115759810B}.exe	104
PID 624 wrote to memory of 3764	624	{00ABF1B5-B324-4221-8180-5F115759810B}.exe	104
PID 624 wrote to memory of 3764	624	{00ABF1B5-B324-4221-8180-5F115759810B}.exe	104
PID 624 wrote to memory of 764	624	{00ABF1B5-B324-4221-8180-5F115759810B}.exe	105
PID 624 wrote to memory of 764	624	{00ABF1B5-B324-4221-8180-5F115759810B}.exe	105
PID 624 wrote to memory of 764	624	{00ABF1B5-B324-4221-8180-5F115759810B}.exe	105
PID 3764 wrote to memory of 4116	3764	{49E8816D-9DF1-4729-B371-720002432F84}.exe	106
PID 3764 wrote to memory of 4116	3764	{49E8816D-9DF1-4729-B371-720002432F84}.exe	106
PID 3764 wrote to memory of 4116	3764	{49E8816D-9DF1-4729-B371-720002432F84}.exe	106
PID 3764 wrote to memory of 4420	3764	{49E8816D-9DF1-4729-B371-720002432F84}.exe	107
PID 3764 wrote to memory of 4420	3764	{49E8816D-9DF1-4729-B371-720002432F84}.exe	107
PID 3764 wrote to memory of 4420	3764	{49E8816D-9DF1-4729-B371-720002432F84}.exe	107
PID 4116 wrote to memory of 3348	4116	{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe	108
PID 4116 wrote to memory of 3348	4116	{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe	108
PID 4116 wrote to memory of 3348	4116	{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe	108
PID 4116 wrote to memory of 1836	4116	{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe	109
PID 4116 wrote to memory of 1836	4116	{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe	109
PID 4116 wrote to memory of 1836	4116	{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe	109
PID 3348 wrote to memory of 2320	3348	{3D290841-C907-4ee5-92B7-9272A159F296}.exe	110
PID 3348 wrote to memory of 2320	3348	{3D290841-C907-4ee5-92B7-9272A159F296}.exe	110
PID 3348 wrote to memory of 2320	3348	{3D290841-C907-4ee5-92B7-9272A159F296}.exe	110
PID 3348 wrote to memory of 2984	3348	{3D290841-C907-4ee5-92B7-9272A159F296}.exe	111
PID 3348 wrote to memory of 2984	3348	{3D290841-C907-4ee5-92B7-9272A159F296}.exe	111
PID 3348 wrote to memory of 2984	3348	{3D290841-C907-4ee5-92B7-9272A159F296}.exe	111
PID 2320 wrote to memory of 2564	2320	{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe	112
PID 2320 wrote to memory of 2564	2320	{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe	112
PID 2320 wrote to memory of 2564	2320	{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe	112
PID 2320 wrote to memory of 556	2320	{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe	113
PID 2320 wrote to memory of 556	2320	{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe	113
PID 2320 wrote to memory of 556	2320	{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe	113

C:\Users\Admin\AppData\Local\Temp\86ec7a53400630c447c5ef88d42a2320N.exe
"C:\Users\Admin\AppData\Local\Temp\86ec7a53400630c447c5ef88d42a2320N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\{85033313-5A52-4c1e-BC77-4226316E7140}.exe
  C:\Windows\{85033313-5A52-4c1e-BC77-4226316E7140}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe
    C:\Windows\{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe
      C:\Windows\{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4228
    - - C:\Windows\{00ABF1B5-B324-4221-8180-5F115759810B}.exe
        
        C:\Windows\{00ABF1B5-B324-4221-8180-5F115759810B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
      - C:\Windows\{49E8816D-9DF1-4729-B371-720002432F84}.exe
        
        C:\Windows\{49E8816D-9DF1-4729-B371-720002432F84}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe
        
        C:\Windows\{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\{3D290841-C907-4ee5-92B7-9272A159F296}.exe
        
        C:\Windows\{3D290841-C907-4ee5-92B7-9272A159F296}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe
        
        C:\Windows\{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{EC218A54-9E4F-4229-B8EC-9F02D176EAFB}.exe
        
        C:\Windows\{EC218A54-9E4F-4229-B8EC-9F02D176EAFB}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CE4F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D290~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8587A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49E88~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00ABF~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3E6D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F1425~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{85033~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\86EC7A~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00ABF1B5-B324-4221-8180-5F115759810B}.exe

Filesize
91KB

MD5
398132dad168614a7897344e80eb8267

SHA1
2bed4ee002eb95833fcfdf44358684366fe0752c

SHA256
403738eb50547d7f3b576a037cc427e12713c736e94e9e599f71e9c5b359448f

SHA512
2d8b9580246d462f693880d40a737bd2f56e1ffa3cdf55de9fd6d9f46c112f1a2f0c4daba2a80078a394419fa8f98d1843fedca0a9dcd75800f8ed56ec96d3dc

Download Submit
C:\Windows\{3D290841-C907-4ee5-92B7-9272A159F296}.exe

Filesize
91KB

MD5
d12f218fbdbc10fafc04cbd54feb4291

SHA1
1e831fd30b22db6da241e0757ff79609bb02f18f

SHA256
1212ad329b80127791d7184f1839d50d812a751660247dcf436d6452aac5747f

SHA512
a9efb59216b873379750549b3b037af53cd6fdd5b342d6af2688065d7c33d602f35861faa20733e8c16498324e4d1aa778b04ed8ddc105b95af3dbba973b9a1a

Download Submit
C:\Windows\{49E8816D-9DF1-4729-B371-720002432F84}.exe

Filesize
91KB

MD5
aef4c859d7e92985605b6954fa2b227b

SHA1
c60f81ad99ff6cf9f75c83ce62c84a64e2e0c0b3

SHA256
28e7c1dfabccb5160df4bb9accebf5a688e22eeaabd6df42f78c1297fa639cc7

SHA512
7dcf21b9d5b3fe631003999fea3992fcb9e1647080a34ebaf5e47337454c109c6d41d0a7111a7f4e700f2d771c3a09283cc7a3167e1f86f3a650fcaafd53220b

Download Submit
C:\Windows\{7CE4F1B1-848C-4bc5-94AE-86D541F32B18}.exe

Filesize
91KB

MD5
bd0167e1ccfa3f3ff67a41808ec7b363

SHA1
a2cb87fda8a24121f22f1fa4f8b5999ba7f82641

SHA256
58ed9255706e6e7fb9074cd8fe360154e6d63eb23e952fa1b5d729621477ccc1

SHA512
fea03361f15b44a7393e9937c2baf3f635acb8079fa0d2d9e2a921c468bade9848b58705c7f4ca151be0d8862a2c13018be8fb4e3a1b8375e42cdc9408c5ab58

Download Submit
C:\Windows\{85033313-5A52-4c1e-BC77-4226316E7140}.exe

Filesize
91KB

MD5
c1e148a315e8689a9ac71bb3c2094713

SHA1
0741833766ba2a3d8e7701540c7b2e7ae38636f8

SHA256
c9cfc6a29efd8c866c4d7c3ca334900e74a8c5909b429d7460e16706f9a1b7f5

SHA512
da393602897270319e1e34f472692a54f39b1557e347eddafe166e29abb9c22aa8752403ec1579b274cfdf12b5463a54f47b20779fa4ac85d2c98e138117452c

Download Submit
C:\Windows\{8587AC2F-A668-4f18-B5E8-A98CE4FD43E2}.exe

Filesize
91KB

MD5
3b9cd981430e47e07b6e1715f66198dd

SHA1
2fc4fd56d055e062a92ec69fa2e0bcab7c3f93d9

SHA256
320061f2a257ae057f4d8ca872a85b90c98dd0ddcc860dd3cc4013aee81c59b1

SHA512
6f80d8db13e94bb0103627eeb12e51c1590030ef80103e3b80d728218df337404fd93c04effa6e1f3b2eb2f6c120c074386e13f3be1aad5c9fd45b2177aae3b0

Download Submit
C:\Windows\{D3E6D697-1B58-44e8-9CB9-97ABDE4D77A0}.exe

Filesize
91KB

MD5
f45809782798a8f5e69bca790b2fb1ca

SHA1
195e53aeb58e7dfab407ecfe5126470871ad90f3

SHA256
95884f4905fca62ee1d0c0a23b620979010445f309f87f94d97f4663cfc27e7f

SHA512
fac812b58c8fdd1b6becc72e26d9c7af57bdec767b810b86723443deb951e0553d36c6864bd09be25ba3a08e000d2e572bc09aba0ada543971f011f06dba307e

Download Submit
C:\Windows\{EC218A54-9E4F-4229-B8EC-9F02D176EAFB}.exe

Filesize
91KB

MD5
896f2f09e1f0dc27a3d1fee9a980eb45

SHA1
63991d2be9f58f9bbe6e266379d66ac67e511bb4

SHA256
eeb8e60ef2c610f63f3077770ed606d50b56b3f4646176ee5ef68c96c2b6ad5a

SHA512
760e408b2cf3ef230d843fa5641da1aa5a2822c4bc204463a8ddc97519e350dc2e9220177d59a1fb39bae75840e3fe3a5bb9f35f375d1de23c90a93765c50054

Download Submit
C:\Windows\{F1425A90-0505-4ae7-A534-DD0AA55ACB22}.exe

Filesize
91KB

MD5
c11b24be3ea2dab328a689ef41cb00d6

SHA1
7f3f8589244e33a035fb3f77239c12061bfcc1d7

SHA256
0a9610dd89a9bdb85a989328c06257531a4408b804838c9ee6b82eec92faa16a

SHA512
cc5c6a184aaec582f7afa13d9353fceffac4f902ddbc5b985157f5898152d5213c094a4abfe937d0cdebeefa2a63fb5bc13c32a96070693cb285a03adc4282dc

Download Submit
memory/440-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/440-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/624-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/624-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2320-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2320-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2320-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2564-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3348-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3348-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3480-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3480-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3480-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3764-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3764-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4116-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4116-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4228-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4228-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4428-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4428-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4428-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads