3ff41d79fadb78481dccfd5f3020b638bcc2f41cca036d4204f2c9e59f37672b

Analysis

max time kernel
118s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcd053334fa684eba9ca15619bf06a50N.exe
Size

90KB
MD5

bcd053334fa684eba9ca15619bf06a50
SHA1

4759b9a7a3fb44c641701077ea99a9cc713b762c
SHA256

3ff41d79fadb78481dccfd5f3020b638bcc2f41cca036d4204f2c9e59f37672b
SHA512

64b58a3886ae06b21c9ec4062a5f8f95133e6ea4ef802c0e113e89ab0edc5a7eacc9b730a3a8dbdbf4aa2ead5a0897e3edcc2ab602d6c11e51cacd69245ce6e0
SSDEEP

768:Qvw9816vhKQLros4/wQRNrfrunMxVFA3b7gl/:YEGh0osl2unMxVS3HgR

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AC111FC-8812-46f7-8B18-5C5C5E125F31}	{D6055371-4410-42bb-9F32-034778F5FE96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AC111FC-8812-46f7-8B18-5C5C5E125F31}\stubpath = "C:\\Windows\\{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe"	{D6055371-4410-42bb-9F32-034778F5FE96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77DE992D-6929-4291-98D9-29C949286AE9}	{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCE166DC-2035-4133-A827-4C8D83BEFE3C}	{77DE992D-6929-4291-98D9-29C949286AE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7307CBEE-86AF-4176-9252-5F8AD8183C84}\stubpath = "C:\\Windows\\{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe"	{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1C1454B-D248-4415-A3D9-1E953E68226F}	{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1C1454B-D248-4415-A3D9-1E953E68226F}\stubpath = "C:\\Windows\\{C1C1454B-D248-4415-A3D9-1E953E68226F}.exe"	{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6055371-4410-42bb-9F32-034778F5FE96}	{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86599F1D-CA64-4348-A2AE-4563A9D06D45}\stubpath = "C:\\Windows\\{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe"	{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7307CBEE-86AF-4176-9252-5F8AD8183C84}	{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6055371-4410-42bb-9F32-034778F5FE96}\stubpath = "C:\\Windows\\{D6055371-4410-42bb-9F32-034778F5FE96}.exe"	{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86599F1D-CA64-4348-A2AE-4563A9D06D45}	{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77DE992D-6929-4291-98D9-29C949286AE9}\stubpath = "C:\\Windows\\{77DE992D-6929-4291-98D9-29C949286AE9}.exe"	{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCE166DC-2035-4133-A827-4C8D83BEFE3C}\stubpath = "C:\\Windows\\{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe"	{77DE992D-6929-4291-98D9-29C949286AE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E290695-1B84-4e48-97CE-939F99CB8EE9}	bcd053334fa684eba9ca15619bf06a50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E290695-1B84-4e48-97CE-939F99CB8EE9}\stubpath = "C:\\Windows\\{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe"	bcd053334fa684eba9ca15619bf06a50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}	{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}\stubpath = "C:\\Windows\\{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe"	{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe

Executes dropped EXE 9 IoCs

pid	Process
676	{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe
2356	{D6055371-4410-42bb-9F32-034778F5FE96}.exe
1588	{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe
5020	{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe
2876	{77DE992D-6929-4291-98D9-29C949286AE9}.exe
3692	{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe
4760	{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe
3740	{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe
3848	{C1C1454B-D248-4415-A3D9-1E953E68226F}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe	{D6055371-4410-42bb-9F32-034778F5FE96}.exe
File created	C:\Windows\{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe	{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe
File created	C:\Windows\{77DE992D-6929-4291-98D9-29C949286AE9}.exe	{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe
File created	C:\Windows\{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe	{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe
File created	C:\Windows\{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe	bcd053334fa684eba9ca15619bf06a50N.exe
File created	C:\Windows\{D6055371-4410-42bb-9F32-034778F5FE96}.exe	{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe
File created	C:\Windows\{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe	{77DE992D-6929-4291-98D9-29C949286AE9}.exe
File created	C:\Windows\{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe	{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe
File created	C:\Windows\{C1C1454B-D248-4415-A3D9-1E953E68226F}.exe	{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77DE992D-6929-4291-98D9-29C949286AE9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C1C1454B-D248-4415-A3D9-1E953E68226F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D6055371-4410-42bb-9F32-034778F5FE96}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcd053334fa684eba9ca15619bf06a50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4532	bcd053334fa684eba9ca15619bf06a50N.exe
Token: SeIncBasePriorityPrivilege	676	{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe
Token: SeIncBasePriorityPrivilege	2356	{D6055371-4410-42bb-9F32-034778F5FE96}.exe
Token: SeIncBasePriorityPrivilege	1588	{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe
Token: SeIncBasePriorityPrivilege	5020	{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe
Token: SeIncBasePriorityPrivilege	2876	{77DE992D-6929-4291-98D9-29C949286AE9}.exe
Token: SeIncBasePriorityPrivilege	3692	{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe
Token: SeIncBasePriorityPrivilege	4760	{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe
Token: SeIncBasePriorityPrivilege	3740	{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 676	4532	bcd053334fa684eba9ca15619bf06a50N.exe	94
PID 4532 wrote to memory of 676	4532	bcd053334fa684eba9ca15619bf06a50N.exe	94
PID 4532 wrote to memory of 676	4532	bcd053334fa684eba9ca15619bf06a50N.exe	94
PID 4532 wrote to memory of 2860	4532	bcd053334fa684eba9ca15619bf06a50N.exe	95
PID 4532 wrote to memory of 2860	4532	bcd053334fa684eba9ca15619bf06a50N.exe	95
PID 4532 wrote to memory of 2860	4532	bcd053334fa684eba9ca15619bf06a50N.exe	95
PID 676 wrote to memory of 2356	676	{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe	96
PID 676 wrote to memory of 2356	676	{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe	96
PID 676 wrote to memory of 2356	676	{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe	96
PID 676 wrote to memory of 1436	676	{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe	97
PID 676 wrote to memory of 1436	676	{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe	97
PID 676 wrote to memory of 1436	676	{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe	97
PID 2356 wrote to memory of 1588	2356	{D6055371-4410-42bb-9F32-034778F5FE96}.exe	100
PID 2356 wrote to memory of 1588	2356	{D6055371-4410-42bb-9F32-034778F5FE96}.exe	100
PID 2356 wrote to memory of 1588	2356	{D6055371-4410-42bb-9F32-034778F5FE96}.exe	100
PID 2356 wrote to memory of 3424	2356	{D6055371-4410-42bb-9F32-034778F5FE96}.exe	101
PID 2356 wrote to memory of 3424	2356	{D6055371-4410-42bb-9F32-034778F5FE96}.exe	101
PID 2356 wrote to memory of 3424	2356	{D6055371-4410-42bb-9F32-034778F5FE96}.exe	101
PID 1588 wrote to memory of 5020	1588	{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe	102
PID 1588 wrote to memory of 5020	1588	{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe	102
PID 1588 wrote to memory of 5020	1588	{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe	102
PID 1588 wrote to memory of 3428	1588	{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe	103
PID 1588 wrote to memory of 3428	1588	{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe	103
PID 1588 wrote to memory of 3428	1588	{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe	103
PID 5020 wrote to memory of 2876	5020	{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe	104
PID 5020 wrote to memory of 2876	5020	{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe	104
PID 5020 wrote to memory of 2876	5020	{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe	104
PID 5020 wrote to memory of 4372	5020	{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe	105
PID 5020 wrote to memory of 4372	5020	{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe	105
PID 5020 wrote to memory of 4372	5020	{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe	105
PID 2876 wrote to memory of 3692	2876	{77DE992D-6929-4291-98D9-29C949286AE9}.exe	106
PID 2876 wrote to memory of 3692	2876	{77DE992D-6929-4291-98D9-29C949286AE9}.exe	106
PID 2876 wrote to memory of 3692	2876	{77DE992D-6929-4291-98D9-29C949286AE9}.exe	106
PID 2876 wrote to memory of 1340	2876	{77DE992D-6929-4291-98D9-29C949286AE9}.exe	107
PID 2876 wrote to memory of 1340	2876	{77DE992D-6929-4291-98D9-29C949286AE9}.exe	107
PID 2876 wrote to memory of 1340	2876	{77DE992D-6929-4291-98D9-29C949286AE9}.exe	107
PID 3692 wrote to memory of 4760	3692	{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe	108
PID 3692 wrote to memory of 4760	3692	{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe	108
PID 3692 wrote to memory of 4760	3692	{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe	108
PID 3692 wrote to memory of 748	3692	{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe	109
PID 3692 wrote to memory of 748	3692	{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe	109
PID 3692 wrote to memory of 748	3692	{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe	109
PID 4760 wrote to memory of 3740	4760	{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe	110
PID 4760 wrote to memory of 3740	4760	{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe	110
PID 4760 wrote to memory of 3740	4760	{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe	110
PID 4760 wrote to memory of 4856	4760	{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe	111
PID 4760 wrote to memory of 4856	4760	{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe	111
PID 4760 wrote to memory of 4856	4760	{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe	111
PID 3740 wrote to memory of 3848	3740	{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe	112
PID 3740 wrote to memory of 3848	3740	{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe	112
PID 3740 wrote to memory of 3848	3740	{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe	112
PID 3740 wrote to memory of 3088	3740	{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe	113
PID 3740 wrote to memory of 3088	3740	{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe	113
PID 3740 wrote to memory of 3088	3740	{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe	113

C:\Users\Admin\AppData\Local\Temp\bcd053334fa684eba9ca15619bf06a50N.exe
"C:\Users\Admin\AppData\Local\Temp\bcd053334fa684eba9ca15619bf06a50N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe
  C:\Windows\{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\{D6055371-4410-42bb-9F32-034778F5FE96}.exe
    C:\Windows\{D6055371-4410-42bb-9F32-034778F5FE96}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe
      C:\Windows\{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe
        
        C:\Windows\{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Windows\{77DE992D-6929-4291-98D9-29C949286AE9}.exe
        
        C:\Windows\{77DE992D-6929-4291-98D9-29C949286AE9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe
        
        C:\Windows\{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe
        
        C:\Windows\{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe
        
        C:\Windows\{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\{C1C1454B-D248-4415-A3D9-1E953E68226F}.exe
        
        C:\Windows\{C1C1454B-D248-4415-A3D9-1E953E68226F}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7307C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16A11~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCE16~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77DE9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86599~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AC11~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D6055~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3E290~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BCD053~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16A118ED-95B8-405b-9A34-EE3B9DE3B7A1}.exe

Filesize
90KB

MD5
2961d63151448cc539a0fa9727250613

SHA1
34ebbf63ad47d5fa291b667f3b91e0acb2a05bad

SHA256
c39cfd08137932a66473aecb6c96ef5b2ce87e7e3087a005f1cd289e6c429857

SHA512
b215586420b50031cdbefa013bfda3ac37577eb1d623b0d29e9c53ad770a0e36a52232ffcf72e466a6cd4a14e2a1cc5498b457ec862462c7d62999dde6ae1677

Download Submit
C:\Windows\{1AC111FC-8812-46f7-8B18-5C5C5E125F31}.exe

Filesize
90KB

MD5
ce3ca6145caa27f8ccf9ddc1d0440035

SHA1
f4592dbb736e90a26dc948dcbab8d6362a2e082d

SHA256
476fc9c1e94c4400bd3b0917d8e96c8696106f164fc9f35db13b930d29f786a4

SHA512
369522e00377c77ce86d4264c9c2109d985c3a076089a65b311109a306922dd99d694817696bf2904e5596a5b3c0d1c06621bd6b7df226872141daa383c84cf1

Download Submit
C:\Windows\{3E290695-1B84-4e48-97CE-939F99CB8EE9}.exe

Filesize
90KB

MD5
2bc8838140a79aa2e76b710fabd10b6b

SHA1
428b66d74be6c689ae30798867153b09590ae851

SHA256
e1ef5487e86edc9cd9f9463d6071c918233fc66ef8c0b9ab9c28edf1a080595d

SHA512
70a0b04609ecd16332cec51450c05dedefb2171e2593b6b3c754e53e38b26e01baece570d05841575446012e097f7ca3d51fb2dd1ab19b536f4784c851442bc3

Download Submit
C:\Windows\{7307CBEE-86AF-4176-9252-5F8AD8183C84}.exe

Filesize
90KB

MD5
e9f98d4e2de364258d40817ecf07a871

SHA1
71e4ce6b93b2cdbc0510212cb62a521887bfc153

SHA256
b99fd2a94084adcfb4533d1e912aabfa7f8c661cf01adaad9a1f9b6bd95f367d

SHA512
c2a60a0c8ff3ec8da7b0a0a49d5cd75d97eeaab010e35b593b99809ef60e7ec504d9e013c4a03ee7f8fee9ac5a50481b1cb816f8033eb3e45dce412c373ecd69

Download Submit
C:\Windows\{77DE992D-6929-4291-98D9-29C949286AE9}.exe

Filesize
90KB

MD5
2dd5b16b8859ec829b0d927ea379b937

SHA1
3cda092aaff7eb65198bd2140f6d521ec6324097

SHA256
723dea91eebfe73181993d1de7febda8de3d8227c009ac26dadfb0124d73c2d3

SHA512
d7aee8a87ec43c6e55f4374a3875c29ae91c92a2d059a217ece07c9f34effba34c91b93da9b49c4b984894445e03c068b9574acf87c500c1f1eb0558c2766dae

Download Submit
C:\Windows\{86599F1D-CA64-4348-A2AE-4563A9D06D45}.exe

Filesize
90KB

MD5
90f969b50f03fed7058b80c722852a7c

SHA1
ac8895720304092344c4c0d385da96a369e3f259

SHA256
f02fc521564034c3580829fc2fc103837cb8958432574f7641fa005d41e6a992

SHA512
ec3e8ceffa7583ea4f3f7d7cdfaa7287aac75c90d55bd6f461912a19c2cd296f4fcebd4523abd8173414e2a0b484c2cac5fc32583c4b8c8ca2302bccb60897c9

Download Submit
C:\Windows\{C1C1454B-D248-4415-A3D9-1E953E68226F}.exe

Filesize
90KB

MD5
64833d839d6abe8cf31e750be4278300

SHA1
376ba4e6127815d10665fc7eec73bd24b456e004

SHA256
03c46e0c0a034d27f57a1a03a483385d47f29873f886583679f36537363be905

SHA512
14f9855dbfebfefd36689010aec2e43238c0885935a0ffaa60d3e5c3c450a8247b2e67ec830189a6b5d9b800985f46a6711877841bbeba81a088bfc2085f0687

Download Submit
C:\Windows\{CCE166DC-2035-4133-A827-4C8D83BEFE3C}.exe

Filesize
90KB

MD5
7fd37346edada70ac76d7970aa7e1c88

SHA1
fd995040861205b2cd178c485b6fee5d8f846e76

SHA256
69e97f4efc40d6808561ccec64e45c52270a2c987e4aa4d92006f4afadbb94b5

SHA512
9b818bb6c9670804efe74da93b7ba29faad8119564945e9e5ac1a61f6024c1eb6df66cec7147a294e6f61fe9d3d690236d3b3b457ca687a89cc0296a0bd4663e

Download Submit
C:\Windows\{D6055371-4410-42bb-9F32-034778F5FE96}.exe

Filesize
90KB

MD5
c25c72753c9e3aba2e6dc03d240d6b0c

SHA1
f3fcedc89f180ac42fa48e69768e7362af544d5a

SHA256
ff14e28f0ea996e36f53e13d8a29f70212d806e858195e1f652ed211e23c5c34

SHA512
b4cf95444e4934ef0cac28b943528bcdd4d430fcc70b0476d414960bb08f5f029cb126568b121898c5668a2612d6594a1749617ec44374fef5752014ce88bc6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads