8564c900d5971b48f88a7c2c65fc194297ff076d706d29788f342ea1a5acf6d6

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79773875e2393fe3f19da7d759a0f550N.exe
Size

79KB
MD5

79773875e2393fe3f19da7d759a0f550
SHA1

07e6975e9cd85446065b602d3604cfe850e96f47
SHA256

8564c900d5971b48f88a7c2c65fc194297ff076d706d29788f342ea1a5acf6d6
SHA512

003b6384c66add9aaf284dffb8710d1414eb9596e65baf3da5e51b72940106aaaa36db3f7075b4da9d6d1191dd006a687061ff86467de75c6204bcb2628523c5
SSDEEP

768:4vw9816vhKQLrod4/wQzXOQ69zbjlAAX5e9zz:wEGh0odlGizbR9Xwzz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B1C5597-AA58-482c-BD17-666C4A07E505}\stubpath = "C:\\Windows\\{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe"	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11177586-05A5-4e9d-8A2F-4C288220CA73}\stubpath = "C:\\Windows\\{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe"	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}\stubpath = "C:\\Windows\\{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe"	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DE51040-8195-4e29-84DD-0F851EEA639F}\stubpath = "C:\\Windows\\{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe"	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81B08CCB-9B06-42b2-8719-A61D4B2FD21A}	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81B08CCB-9B06-42b2-8719-A61D4B2FD21A}\stubpath = "C:\\Windows\\{81B08CCB-9B06-42b2-8719-A61D4B2FD21A}.exe"	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19511CFE-79EA-4b96-88BA-81D157C59B35}	79773875e2393fe3f19da7d759a0f550N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{266E2301-80A9-438d-B79D-7751A0BB4DB6}	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{266E2301-80A9-438d-B79D-7751A0BB4DB6}\stubpath = "C:\\Windows\\{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe"	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84C0DC41-6063-47f7-A0C5-7709C07CF10B}	{81B08CCB-9B06-42b2-8719-A61D4B2FD21A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84C0DC41-6063-47f7-A0C5-7709C07CF10B}\stubpath = "C:\\Windows\\{84C0DC41-6063-47f7-A0C5-7709C07CF10B}.exe"	{81B08CCB-9B06-42b2-8719-A61D4B2FD21A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19511CFE-79EA-4b96-88BA-81D157C59B35}\stubpath = "C:\\Windows\\{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe"	79773875e2393fe3f19da7d759a0f550N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11177586-05A5-4e9d-8A2F-4C288220CA73}	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B1C5597-AA58-482c-BD17-666C4A07E505}	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DE51040-8195-4e29-84DD-0F851EEA639F}	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}\stubpath = "C:\\Windows\\{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe"	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2596	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe
2792	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe
1824	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe
2736	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe
2720	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe
2104	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe
2696	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe
2100	{81B08CCB-9B06-42b2-8719-A61D4B2FD21A}.exe
2300	{84C0DC41-6063-47f7-A0C5-7709C07CF10B}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe	79773875e2393fe3f19da7d759a0f550N.exe
File created	C:\Windows\{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe
File created	C:\Windows\{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe
File created	C:\Windows\{81B08CCB-9B06-42b2-8719-A61D4B2FD21A}.exe	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe
File created	C:\Windows\{84C0DC41-6063-47f7-A0C5-7709C07CF10B}.exe	{81B08CCB-9B06-42b2-8719-A61D4B2FD21A}.exe
File created	C:\Windows\{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe
File created	C:\Windows\{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe
File created	C:\Windows\{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe
File created	C:\Windows\{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81B08CCB-9B06-42b2-8719-A61D4B2FD21A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{84C0DC41-6063-47f7-A0C5-7709C07CF10B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79773875e2393fe3f19da7d759a0f550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2336	79773875e2393fe3f19da7d759a0f550N.exe
Token: SeIncBasePriorityPrivilege	2596	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe
Token: SeIncBasePriorityPrivilege	2792	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe
Token: SeIncBasePriorityPrivilege	1824	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe
Token: SeIncBasePriorityPrivilege	2736	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe
Token: SeIncBasePriorityPrivilege	2720	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe
Token: SeIncBasePriorityPrivilege	2104	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe
Token: SeIncBasePriorityPrivilege	2696	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe
Token: SeIncBasePriorityPrivilege	2100	{81B08CCB-9B06-42b2-8719-A61D4B2FD21A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2596	2336	79773875e2393fe3f19da7d759a0f550N.exe	29
PID 2336 wrote to memory of 2596	2336	79773875e2393fe3f19da7d759a0f550N.exe	29
PID 2336 wrote to memory of 2596	2336	79773875e2393fe3f19da7d759a0f550N.exe	29
PID 2336 wrote to memory of 2596	2336	79773875e2393fe3f19da7d759a0f550N.exe	29
PID 2336 wrote to memory of 2800	2336	79773875e2393fe3f19da7d759a0f550N.exe	30
PID 2336 wrote to memory of 2800	2336	79773875e2393fe3f19da7d759a0f550N.exe	30
PID 2336 wrote to memory of 2800	2336	79773875e2393fe3f19da7d759a0f550N.exe	30
PID 2336 wrote to memory of 2800	2336	79773875e2393fe3f19da7d759a0f550N.exe	30
PID 2596 wrote to memory of 2792	2596	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe	31
PID 2596 wrote to memory of 2792	2596	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe	31
PID 2596 wrote to memory of 2792	2596	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe	31
PID 2596 wrote to memory of 2792	2596	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe	31
PID 2596 wrote to memory of 2188	2596	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe	32
PID 2596 wrote to memory of 2188	2596	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe	32
PID 2596 wrote to memory of 2188	2596	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe	32
PID 2596 wrote to memory of 2188	2596	{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe	32
PID 2792 wrote to memory of 1824	2792	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe	33
PID 2792 wrote to memory of 1824	2792	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe	33
PID 2792 wrote to memory of 1824	2792	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe	33
PID 2792 wrote to memory of 1824	2792	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe	33
PID 2792 wrote to memory of 2712	2792	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe	34
PID 2792 wrote to memory of 2712	2792	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe	34
PID 2792 wrote to memory of 2712	2792	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe	34
PID 2792 wrote to memory of 2712	2792	{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe	34
PID 1824 wrote to memory of 2736	1824	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe	35
PID 1824 wrote to memory of 2736	1824	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe	35
PID 1824 wrote to memory of 2736	1824	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe	35
PID 1824 wrote to memory of 2736	1824	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe	35
PID 1824 wrote to memory of 2716	1824	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe	36
PID 1824 wrote to memory of 2716	1824	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe	36
PID 1824 wrote to memory of 2716	1824	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe	36
PID 1824 wrote to memory of 2716	1824	{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe	36
PID 2736 wrote to memory of 2720	2736	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe	37
PID 2736 wrote to memory of 2720	2736	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe	37
PID 2736 wrote to memory of 2720	2736	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe	37
PID 2736 wrote to memory of 2720	2736	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe	37
PID 2736 wrote to memory of 752	2736	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe	38
PID 2736 wrote to memory of 752	2736	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe	38
PID 2736 wrote to memory of 752	2736	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe	38
PID 2736 wrote to memory of 752	2736	{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe	38
PID 2720 wrote to memory of 2104	2720	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe	39
PID 2720 wrote to memory of 2104	2720	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe	39
PID 2720 wrote to memory of 2104	2720	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe	39
PID 2720 wrote to memory of 2104	2720	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe	39
PID 2720 wrote to memory of 2028	2720	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe	40
PID 2720 wrote to memory of 2028	2720	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe	40
PID 2720 wrote to memory of 2028	2720	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe	40
PID 2720 wrote to memory of 2028	2720	{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe	40
PID 2104 wrote to memory of 2696	2104	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe	42
PID 2104 wrote to memory of 2696	2104	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe	42
PID 2104 wrote to memory of 2696	2104	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe	42
PID 2104 wrote to memory of 2696	2104	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe	42
PID 2104 wrote to memory of 2916	2104	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe	43
PID 2104 wrote to memory of 2916	2104	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe	43
PID 2104 wrote to memory of 2916	2104	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe	43
PID 2104 wrote to memory of 2916	2104	{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe	43
PID 2696 wrote to memory of 2100	2696	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe	44
PID 2696 wrote to memory of 2100	2696	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe	44
PID 2696 wrote to memory of 2100	2696	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe	44
PID 2696 wrote to memory of 2100	2696	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe	44
PID 2696 wrote to memory of 1048	2696	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe	45
PID 2696 wrote to memory of 1048	2696	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe	45
PID 2696 wrote to memory of 1048	2696	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe	45
PID 2696 wrote to memory of 1048	2696	{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe	45

C:\Users\Admin\AppData\Local\Temp\79773875e2393fe3f19da7d759a0f550N.exe
"C:\Users\Admin\AppData\Local\Temp\79773875e2393fe3f19da7d759a0f550N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe
  C:\Windows\{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe
    C:\Windows\{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe
      C:\Windows\{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe
        
        C:\Windows\{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe
        
        C:\Windows\{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe
        
        C:\Windows\{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe
        
        C:\Windows\{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{81B08CCB-9B06-42b2-8719-A61D4B2FD21A}.exe
        
        C:\Windows\{81B08CCB-9B06-42b2-8719-A61D4B2FD21A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\{84C0DC41-6063-47f7-A0C5-7709C07CF10B}.exe
        
        C:\Windows\{84C0DC41-6063-47f7-A0C5-7709C07CF10B}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81B08~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DE51~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{266E2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94140~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B1C5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11177~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{29712~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{19511~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\797738~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11177586-05A5-4e9d-8A2F-4C288220CA73}.exe

Filesize
79KB

MD5
9154a391c5c285cb78408140fe44d619

SHA1
169afa41c123ab93dd2882c82721ed6db6625006

SHA256
c671c090b3516096a589b159f98842d612515300f46e00124f3169ae2ec66a45

SHA512
92730c7bb2b87b9406373a30ad26e7443c86f686b4d77bd7e7b2a3e4d03b0b7d0356140dfcc038163711071ff7bf8a6db51957d1ea90d2f57353a42293f4df0b

Download Submit
C:\Windows\{19511CFE-79EA-4b96-88BA-81D157C59B35}.exe

Filesize
79KB

MD5
00335c1b6e40e4905120c5d1c5321806

SHA1
e3ed6586a11ba6a2fe5d7967f62dae2ac1aa3511

SHA256
09a781a049503c90435ce5e95813c25f4ab76053c6f2c9088936cb56c4b7c82f

SHA512
8d72f5feb684b594677fa12f1b19643eaa1f89c9dc74f5bb575eab13c06c4b33c3aa610783702997a9a228a956720ffdbade5afd45ee8827505d7d32823d6f20

Download Submit
C:\Windows\{266E2301-80A9-438d-B79D-7751A0BB4DB6}.exe

Filesize
79KB

MD5
d68731b0ab16c54c9a075279cee60041

SHA1
403d3af25fd96c36441e91d47b9b688d9158cbc7

SHA256
593f5c1dc8258584905ec06170a37ed36033a9a080fee081bcbf0d51aea3a2e7

SHA512
1d485760e9dcdb2cce73df3ed359ac9efa9fcc44115a70b86e577c10b9496f0c138d425e50e8fad101a7441d60c7d56822583df580272a3cde6cf87a949fba6f

Download Submit
C:\Windows\{297120D3-B133-4c27-AD01-EBEF0CAF7AF1}.exe

Filesize
79KB

MD5
85f319f68021b53c63b44675af5efad9

SHA1
d45950f337904cd403cd0202bc209e6eeed29898

SHA256
0002813cf54f28e55dda6698b3f2150c528ce6fc010c2ed4700f55e56ededff0

SHA512
8c2023769c659f85b94e329eb265842fa0c549c6c2075a68cea5b03ec72e0db16baa0ca150ee861a10b6aa9477fc77180598de1e74b1182f9c329a8dc9c33015

Download Submit
C:\Windows\{2DE51040-8195-4e29-84DD-0F851EEA639F}.exe

Filesize
79KB

MD5
ed5f42893695fbc1c90fcf5ff459651b

SHA1
46a4ca2c3ea27291bc1683516df3c89189d393f2

SHA256
bccdf0fe48da0e31db745dc5d1553aa982bf296764054af4d823361e7852f7d8

SHA512
9bee89c120fa64e55087d64aae9d6b9344b067e1b5ee620a734b57c47c3d039db11935e602a8d5584f365deb384fa6906fbb072bdf77431c6406ca62c47f31b0

Download Submit
C:\Windows\{5B1C5597-AA58-482c-BD17-666C4A07E505}.exe

Filesize
79KB

MD5
60e53b9437cf6a95d3a9ab80e8099828

SHA1
0f26ca102a1335654d2452a2fb04c4c1670ae324

SHA256
7ff705465866fc442e1ba8ad21b578bd82619030674fee25b06779b9553ad0e3

SHA512
a61245e6ca78f29bad24dd16c9549e4441472d3764c076e96596440607639ddf0d71f51234d6c206f03564b8cd429955a214760f0668bfa6b684d7d8cb8caae9

Download Submit
C:\Windows\{81B08CCB-9B06-42b2-8719-A61D4B2FD21A}.exe

Filesize
79KB

MD5
d4363aceee092f2d0b8d15a5773e11ff

SHA1
b5d78360af325449d31f139cc47f604f1e44d4d0

SHA256
dc3a4a1bd86d55c1e0b5cdf98f4693fb3404056702071a6a918b0e2a7ee1b560

SHA512
d5ce12a5e789758aa57ca7e8eb1260c0a1f2257f460723c8c2fae7b38135601ecb432f3454874ccc69dbae75899b7ca9b4a6c1914453772a90a4e6623c01d132

Download Submit
C:\Windows\{84C0DC41-6063-47f7-A0C5-7709C07CF10B}.exe

Filesize
79KB

MD5
ab413227a61e6af33980b8c0392d0432

SHA1
0527c8f30748f80f2f5ab115b99de37a9ffec2de

SHA256
0183b7e1e0fd1be6360483f4f53ad56e3088b22c9a355cda6b09935525bcc6f6

SHA512
576aced978f3572e040a887cd1c068d27dc9b919b07da88883c2d3d1e5c9fd1c5d28c67f2dc3bc3b9eca1dd79f369d5871025ae71f1e862132b06294d5556377

Download Submit
C:\Windows\{9414093E-1B69-4c30-A7A8-A57FE1EBFBDD}.exe

Filesize
79KB

MD5
b0dd99c6b0cd90204595c0cfbad0ae7e

SHA1
03d3747a14add389d6db7569a991b606a7e845bc

SHA256
6333be0ae452c0b71effb18bab5ace671605dc07ee83738cc274d16a1efcf15d

SHA512
d924824e894a9a51673dab41eaed97b1290acbc4b000190a5b8baf48c9935c146decddcf68aa7291f17b9acd85af859da62e74ef946e77553be010c3da08febd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads