6119d58486d1317da2c96f5d611a2253487b97c55ac01d2fed4458354a31f307

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0376e2dbd776b4b1a74ecebd73ccb580N.exe
Size

88KB
MD5

0376e2dbd776b4b1a74ecebd73ccb580
SHA1

404632978194a31e64804b5c62fe8acff7c91760
SHA256

6119d58486d1317da2c96f5d611a2253487b97c55ac01d2fed4458354a31f307
SHA512

d7cc39c6f8cbe6cbe2e6e43bee77027adc17fff26c4edfe47f7aadd439233a127779dbd49189ab04aed01408e8c2522a1a622c49d7530fb7e2f2dad99cb99b7e
SSDEEP

768:5vw9816thKQLro94/wQkNrfrunMxVFA3V:lEG/0o9lbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8B0827-685C-4c1e-83C4-1F67796D1500}\stubpath = "C:\\Windows\\{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe"	0376e2dbd776b4b1a74ecebd73ccb580N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B08609D6-CB51-402e-8BFC-D15B60D50D84}	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{963F131A-55CA-4498-AD8B-BBECA6D575EF}\stubpath = "C:\\Windows\\{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe"	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{573BCBBC-33BA-45d0-B35F-F0CB9BE9CFCA}	{E58B391B-7529-48bc-914C-2533E7F1E63D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{573BCBBC-33BA-45d0-B35F-F0CB9BE9CFCA}\stubpath = "C:\\Windows\\{573BCBBC-33BA-45d0-B35F-F0CB9BE9CFCA}.exe"	{E58B391B-7529-48bc-914C-2533E7F1E63D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B08609D6-CB51-402e-8BFC-D15B60D50D84}\stubpath = "C:\\Windows\\{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe"	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}\stubpath = "C:\\Windows\\{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe"	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{963F131A-55CA-4498-AD8B-BBECA6D575EF}	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E58B391B-7529-48bc-914C-2533E7F1E63D}	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8B0827-685C-4c1e-83C4-1F67796D1500}	0376e2dbd776b4b1a74ecebd73ccb580N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB22588-8F40-4c3c-961C-685B57B93909}\stubpath = "C:\\Windows\\{5BB22588-8F40-4c3c-961C-685B57B93909}.exe"	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB7F408A-9D36-40d6-8038-E2965F9E2063}	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB7F408A-9D36-40d6-8038-E2965F9E2063}\stubpath = "C:\\Windows\\{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe"	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7C9BB84-34F6-4257-94AE-C6999778F3EE}\stubpath = "C:\\Windows\\{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe"	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E58B391B-7529-48bc-914C-2533E7F1E63D}\stubpath = "C:\\Windows\\{E58B391B-7529-48bc-914C-2533E7F1E63D}.exe"	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB22588-8F40-4c3c-961C-685B57B93909}	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7C9BB84-34F6-4257-94AE-C6999778F3EE}	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe

Deletes itself 1 IoCs

pid	Process
2208	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2984	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe
2916	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe
2648	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe
2640	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe
2952	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe
2948	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe
480	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe
680	{E58B391B-7529-48bc-914C-2533E7F1E63D}.exe
328	{573BCBBC-33BA-45d0-B35F-F0CB9BE9CFCA}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{5BB22588-8F40-4c3c-961C-685B57B93909}.exe	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe
File created	C:\Windows\{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe
File created	C:\Windows\{E58B391B-7529-48bc-914C-2533E7F1E63D}.exe	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe
File created	C:\Windows\{573BCBBC-33BA-45d0-B35F-F0CB9BE9CFCA}.exe	{E58B391B-7529-48bc-914C-2533E7F1E63D}.exe
File created	C:\Windows\{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe	0376e2dbd776b4b1a74ecebd73ccb580N.exe
File created	C:\Windows\{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe
File created	C:\Windows\{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe
File created	C:\Windows\{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe
File created	C:\Windows\{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E58B391B-7529-48bc-914C-2533E7F1E63D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{573BCBBC-33BA-45d0-B35F-F0CB9BE9CFCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0376e2dbd776b4b1a74ecebd73ccb580N.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1800	0376e2dbd776b4b1a74ecebd73ccb580N.exe
Token: SeIncBasePriorityPrivilege	2984	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe
Token: SeIncBasePriorityPrivilege	2916	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe
Token: SeIncBasePriorityPrivilege	2648	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe
Token: SeIncBasePriorityPrivilege	2640	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe
Token: SeIncBasePriorityPrivilege	2952	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe
Token: SeIncBasePriorityPrivilege	2948	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe
Token: SeIncBasePriorityPrivilege	480	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe
Token: SeIncBasePriorityPrivilege	680	{E58B391B-7529-48bc-914C-2533E7F1E63D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2984	1800	0376e2dbd776b4b1a74ecebd73ccb580N.exe	31
PID 1800 wrote to memory of 2984	1800	0376e2dbd776b4b1a74ecebd73ccb580N.exe	31
PID 1800 wrote to memory of 2984	1800	0376e2dbd776b4b1a74ecebd73ccb580N.exe	31
PID 1800 wrote to memory of 2984	1800	0376e2dbd776b4b1a74ecebd73ccb580N.exe	31
PID 1800 wrote to memory of 2208	1800	0376e2dbd776b4b1a74ecebd73ccb580N.exe	32
PID 1800 wrote to memory of 2208	1800	0376e2dbd776b4b1a74ecebd73ccb580N.exe	32
PID 1800 wrote to memory of 2208	1800	0376e2dbd776b4b1a74ecebd73ccb580N.exe	32
PID 1800 wrote to memory of 2208	1800	0376e2dbd776b4b1a74ecebd73ccb580N.exe	32
PID 2984 wrote to memory of 2916	2984	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe	33
PID 2984 wrote to memory of 2916	2984	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe	33
PID 2984 wrote to memory of 2916	2984	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe	33
PID 2984 wrote to memory of 2916	2984	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe	33
PID 2984 wrote to memory of 2752	2984	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe	34
PID 2984 wrote to memory of 2752	2984	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe	34
PID 2984 wrote to memory of 2752	2984	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe	34
PID 2984 wrote to memory of 2752	2984	{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe	34
PID 2916 wrote to memory of 2648	2916	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe	35
PID 2916 wrote to memory of 2648	2916	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe	35
PID 2916 wrote to memory of 2648	2916	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe	35
PID 2916 wrote to memory of 2648	2916	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe	35
PID 2916 wrote to memory of 1740	2916	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe	36
PID 2916 wrote to memory of 1740	2916	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe	36
PID 2916 wrote to memory of 1740	2916	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe	36
PID 2916 wrote to memory of 1740	2916	{5BB22588-8F40-4c3c-961C-685B57B93909}.exe	36
PID 2648 wrote to memory of 2640	2648	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe	37
PID 2648 wrote to memory of 2640	2648	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe	37
PID 2648 wrote to memory of 2640	2648	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe	37
PID 2648 wrote to memory of 2640	2648	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe	37
PID 2648 wrote to memory of 2744	2648	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe	38
PID 2648 wrote to memory of 2744	2648	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe	38
PID 2648 wrote to memory of 2744	2648	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe	38
PID 2648 wrote to memory of 2744	2648	{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe	38
PID 2640 wrote to memory of 2952	2640	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe	39
PID 2640 wrote to memory of 2952	2640	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe	39
PID 2640 wrote to memory of 2952	2640	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe	39
PID 2640 wrote to memory of 2952	2640	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe	39
PID 2640 wrote to memory of 1828	2640	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe	40
PID 2640 wrote to memory of 1828	2640	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe	40
PID 2640 wrote to memory of 1828	2640	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe	40
PID 2640 wrote to memory of 1828	2640	{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe	40
PID 2952 wrote to memory of 2948	2952	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe	41
PID 2952 wrote to memory of 2948	2952	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe	41
PID 2952 wrote to memory of 2948	2952	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe	41
PID 2952 wrote to memory of 2948	2952	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe	41
PID 2952 wrote to memory of 1660	2952	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe	42
PID 2952 wrote to memory of 1660	2952	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe	42
PID 2952 wrote to memory of 1660	2952	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe	42
PID 2952 wrote to memory of 1660	2952	{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe	42
PID 2948 wrote to memory of 480	2948	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe	44
PID 2948 wrote to memory of 480	2948	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe	44
PID 2948 wrote to memory of 480	2948	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe	44
PID 2948 wrote to memory of 480	2948	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe	44
PID 2948 wrote to memory of 572	2948	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe	45
PID 2948 wrote to memory of 572	2948	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe	45
PID 2948 wrote to memory of 572	2948	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe	45
PID 2948 wrote to memory of 572	2948	{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe	45
PID 480 wrote to memory of 680	480	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe	46
PID 480 wrote to memory of 680	480	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe	46
PID 480 wrote to memory of 680	480	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe	46
PID 480 wrote to memory of 680	480	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe	46
PID 480 wrote to memory of 2372	480	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe	47
PID 480 wrote to memory of 2372	480	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe	47
PID 480 wrote to memory of 2372	480	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe	47
PID 480 wrote to memory of 2372	480	{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe	47

C:\Users\Admin\AppData\Local\Temp\0376e2dbd776b4b1a74ecebd73ccb580N.exe
"C:\Users\Admin\AppData\Local\Temp\0376e2dbd776b4b1a74ecebd73ccb580N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe
  C:\Windows\{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\{5BB22588-8F40-4c3c-961C-685B57B93909}.exe
    C:\Windows\{5BB22588-8F40-4c3c-961C-685B57B93909}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe
      C:\Windows\{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe
        
        C:\Windows\{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe
        
        C:\Windows\{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe
        
        C:\Windows\{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe
        
        C:\Windows\{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        C:\Windows\{E58B391B-7529-48bc-914C-2533E7F1E63D}.exe
        
        C:\Windows\{E58B391B-7529-48bc-914C-2533E7F1E63D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\{573BCBBC-33BA-45d0-B35F-F0CB9BE9CFCA}.exe
        
        C:\Windows\{573BCBBC-33BA-45d0-B35F-F0CB9BE9CFCA}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E58B3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7C9B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{963F1~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB7F4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AD6D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0860~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5BB22~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5E8B0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0376E2~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{573BCBBC-33BA-45d0-B35F-F0CB9BE9CFCA}.exe

Filesize
88KB

MD5
dbff688b83e3ecdd05f4d19788d44d11

SHA1
ff3ac7af819c555a8b7bdd4303238f2aca9822ae

SHA256
6a0562553e098f19e711b0533e2e0be5cd89d43f0132be72309cfa44bc76afbe

SHA512
c583ebb75e65eb4849b5b6ad278bcd0824e23019cc741d1cdd39293ded2b0f67ce735549226f1c35a24d9356182839c852987d8e47ed0b7c45f0e3fa8f607fd5

Download Submit
C:\Windows\{5BB22588-8F40-4c3c-961C-685B57B93909}.exe

Filesize
88KB

MD5
48c6c6f9cc9b384974c7a31e9fcdc18d

SHA1
d173762c22254926ecf2613e70b4d71246062253

SHA256
3554167bb1079a2f1975b212415db8f4eefdf3bbfa6daf0833b0af22f1168eda

SHA512
adba5da205f6295f53a518c95da6649168753276f9f007806738302a925f24177cf6d0c4057f6793f7b51ee82b783353b1fa5a8e774d4bd0fe0f1dd58d75ad05

Download Submit
C:\Windows\{5E8B0827-685C-4c1e-83C4-1F67796D1500}.exe

Filesize
88KB

MD5
3c11b76bbae371a131dcd12d48427fe5

SHA1
da7f5d0bcc05dad4cad677c635e942b523395be0

SHA256
a3df4d8ed1a99416b9117327417e4d5450d4865ce3a6dfabd0b3265892a9ffab

SHA512
62f63eb1c86243dfe0f91bd1cd8f646ccea1836618c116bb078e0c8edeff0b44df63e67b3499b31466e81375c994888f90f0bfed5dd9e372a69f2fcdeae2001f

Download Submit
C:\Windows\{6AD6D101-2CEA-4543-BCEF-D17C9FED3A58}.exe

Filesize
88KB

MD5
ed69eefa8c68f59700ece295edfb2a5f

SHA1
792d3f014187adbe40219d5aae222e0f699d8e6b

SHA256
204b1b888014548f1343f5108078da6590ae2b9b2cd0bf32ed0113a8bca84d27

SHA512
10f39d33efafaade5288bd73ea6b47f0566244a76d0732749029193a6f555b858a4a61b82ea73b3bc53215c1eaabc6c6619c533a18e9bd056189af18398d9fcf

Download Submit
C:\Windows\{963F131A-55CA-4498-AD8B-BBECA6D575EF}.exe

Filesize
88KB

MD5
02ed25abfa4ff81b572ce0906a92ef73

SHA1
df1d20563117a2eec28e0dbb7868da2704a45aa4

SHA256
88ed5e6860968484b45cdcdde842ca3d468a76d00e4c683df23ad123e2603355

SHA512
9aa116933b006fca18f55d6fbaf90f9eea439cd5379a145aeb14c6d2c31729d3dc76fe5404d3bace51659d19cbca05845c857a8f79980780f39aac7a224e6d3d

Download Submit
C:\Windows\{A7C9BB84-34F6-4257-94AE-C6999778F3EE}.exe

Filesize
88KB

MD5
8f6088f238eeb381b698150b22c5b6ac

SHA1
892219ccab46866ed24334a770b4ffcae303eccb

SHA256
f8e58ef7876b46fd0dadf43c7d5b6f28ded6f4c4d182a44e75e0055f551d1642

SHA512
61d50671f4a0a69d7c751b08513396bbd94ecd93ac68aeb96fb98160ee4cca7c1cb9c3698e64a7b353e6800cd77fd0dcbaf8aa2c076fbe3eb01e8e489ef79918

Download Submit
C:\Windows\{B08609D6-CB51-402e-8BFC-D15B60D50D84}.exe

Filesize
88KB

MD5
666b0af17ccf6e0f19ba156259e687d2

SHA1
9d8b6364f369baf7310c4d0c9278e2a1f68c6140

SHA256
c0396fe903d1d494aaa04edd63bf65d6d8b7c9f54dffedeb65c773623b3bf507

SHA512
06d75f985efc18e26a79ec320c083772af48bd1ec2370d236fb3215e6cd89099a9a4522c22b8991adde40669592aaca720ac43617cbc9bcf1ebde311bbd284d9

Download Submit
C:\Windows\{CB7F408A-9D36-40d6-8038-E2965F9E2063}.exe

Filesize
88KB

MD5
450735f09d3f2ab415173089c40e2834

SHA1
a065ac6f04ccafcb819ae1d82f216fb7bf7db882

SHA256
d841248b3d0b5257c8d484a7117dff078a0a56e4d214fd8fd3f5bbf77de48e39

SHA512
288c9f718a6c8d0c14688c238e0d0f57122c21d96182beffd32c228752542338a93a2c6880695e7185fd7ebeac3831ce4673224b2798de41c97ac90ec71054e2

Download Submit
C:\Windows\{E58B391B-7529-48bc-914C-2533E7F1E63D}.exe

Filesize
88KB

MD5
2960e9b365b7200cc450ed945baa5fa3

SHA1
50e31c6e0cd9eab584f71252443754d416bc7412

SHA256
1c8a170f47af49f30f65f2e9432984010aac6c01e6dd200b58d67547dea1e9cf

SHA512
96c7eefc42af66ee67b8412d7418be8ed3f15addd97680cbeb34a051f1425dd7c54b70da38ce89d83a5aff72437341434f1c45b10d2df89beb769c1e2b496e10

Download Submit
memory/480-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/480-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/480-72-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/680-80-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/680-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1800-4-0x0000000001D10000-0x0000000001D21000-memory.dmp

Filesize
68KB

Download
memory/1800-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1800-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1800-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2640-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2640-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2640-45-0x0000000000440000-0x0000000000451000-memory.dmp

Filesize
68KB

Download
memory/2640-46-0x0000000000440000-0x0000000000451000-memory.dmp

Filesize
68KB

Download
memory/2648-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2648-32-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2916-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2916-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2916-23-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/2948-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2948-62-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/2952-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2952-53-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/2952-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2984-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2984-13-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads