8564c900d5971b48f88a7c2c65fc194297ff076d706d29788f342ea1a5acf6d6

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79773875e2393fe3f19da7d759a0f550N.exe
Size

79KB
MD5

79773875e2393fe3f19da7d759a0f550
SHA1

07e6975e9cd85446065b602d3604cfe850e96f47
SHA256

8564c900d5971b48f88a7c2c65fc194297ff076d706d29788f342ea1a5acf6d6
SHA512

003b6384c66add9aaf284dffb8710d1414eb9596e65baf3da5e51b72940106aaaa36db3f7075b4da9d6d1191dd006a687061ff86467de75c6204bcb2628523c5
SSDEEP

768:4vw9816vhKQLrod4/wQzXOQ69zbjlAAX5e9zz:wEGh0odlGizbR9Xwzz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D961B77C-0767-45ae-BBEF-8A753F77AB71}\stubpath = "C:\\Windows\\{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe"	{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}	{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D2CA4F5-E1DC-445c-B520-50C9A66C2D27}\stubpath = "C:\\Windows\\{4D2CA4F5-E1DC-445c-B520-50C9A66C2D27}.exe"	{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}\stubpath = "C:\\Windows\\{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe"	{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}\stubpath = "C:\\Windows\\{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe"	{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D961B77C-0767-45ae-BBEF-8A753F77AB71}	{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}	{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70443198-3E21-44e8-91F3-9829B45BFBFC}\stubpath = "C:\\Windows\\{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe"	{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D2CA4F5-E1DC-445c-B520-50C9A66C2D27}	{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32035224-EA95-4248-9AB8-C25437525BE4}	79773875e2393fe3f19da7d759a0f550N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D02697C7-4401-45c9-A0DF-173DCA860A26}	{32035224-EA95-4248-9AB8-C25437525BE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D02697C7-4401-45c9-A0DF-173DCA860A26}\stubpath = "C:\\Windows\\{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe"	{32035224-EA95-4248-9AB8-C25437525BE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98EF2468-EB41-45eb-8A67-6D9239876F2E}	{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70443198-3E21-44e8-91F3-9829B45BFBFC}	{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}\stubpath = "C:\\Windows\\{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe"	{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32035224-EA95-4248-9AB8-C25437525BE4}\stubpath = "C:\\Windows\\{32035224-EA95-4248-9AB8-C25437525BE4}.exe"	79773875e2393fe3f19da7d759a0f550N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98EF2468-EB41-45eb-8A67-6D9239876F2E}\stubpath = "C:\\Windows\\{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe"	{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}	{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe

Executes dropped EXE 9 IoCs

pid	Process
1224	{32035224-EA95-4248-9AB8-C25437525BE4}.exe
2672	{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe
3304	{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe
3728	{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe
4088	{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe
4436	{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe
4848	{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe
3480	{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe
5080	{4D2CA4F5-E1DC-445c-B520-50C9A66C2D27}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe	{32035224-EA95-4248-9AB8-C25437525BE4}.exe
File created	C:\Windows\{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe	{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe
File created	C:\Windows\{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe	{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe
File created	C:\Windows\{4D2CA4F5-E1DC-445c-B520-50C9A66C2D27}.exe	{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe
File created	C:\Windows\{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe	{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe
File created	C:\Windows\{32035224-EA95-4248-9AB8-C25437525BE4}.exe	79773875e2393fe3f19da7d759a0f550N.exe
File created	C:\Windows\{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe	{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe
File created	C:\Windows\{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe	{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe
File created	C:\Windows\{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe	{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79773875e2393fe3f19da7d759a0f550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D2CA4F5-E1DC-445c-B520-50C9A66C2D27}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{32035224-EA95-4248-9AB8-C25437525BE4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2204	79773875e2393fe3f19da7d759a0f550N.exe
Token: SeIncBasePriorityPrivilege	1224	{32035224-EA95-4248-9AB8-C25437525BE4}.exe
Token: SeIncBasePriorityPrivilege	2672	{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe
Token: SeIncBasePriorityPrivilege	3304	{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe
Token: SeIncBasePriorityPrivilege	3728	{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe
Token: SeIncBasePriorityPrivilege	4088	{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe
Token: SeIncBasePriorityPrivilege	4436	{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe
Token: SeIncBasePriorityPrivilege	4848	{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe
Token: SeIncBasePriorityPrivilege	3480	{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1224	2204	79773875e2393fe3f19da7d759a0f550N.exe	94
PID 2204 wrote to memory of 1224	2204	79773875e2393fe3f19da7d759a0f550N.exe	94
PID 2204 wrote to memory of 1224	2204	79773875e2393fe3f19da7d759a0f550N.exe	94
PID 2204 wrote to memory of 700	2204	79773875e2393fe3f19da7d759a0f550N.exe	95
PID 2204 wrote to memory of 700	2204	79773875e2393fe3f19da7d759a0f550N.exe	95
PID 2204 wrote to memory of 700	2204	79773875e2393fe3f19da7d759a0f550N.exe	95
PID 1224 wrote to memory of 2672	1224	{32035224-EA95-4248-9AB8-C25437525BE4}.exe	96
PID 1224 wrote to memory of 2672	1224	{32035224-EA95-4248-9AB8-C25437525BE4}.exe	96
PID 1224 wrote to memory of 2672	1224	{32035224-EA95-4248-9AB8-C25437525BE4}.exe	96
PID 1224 wrote to memory of 1168	1224	{32035224-EA95-4248-9AB8-C25437525BE4}.exe	97
PID 1224 wrote to memory of 1168	1224	{32035224-EA95-4248-9AB8-C25437525BE4}.exe	97
PID 1224 wrote to memory of 1168	1224	{32035224-EA95-4248-9AB8-C25437525BE4}.exe	97
PID 2672 wrote to memory of 3304	2672	{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe	100
PID 2672 wrote to memory of 3304	2672	{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe	100
PID 2672 wrote to memory of 3304	2672	{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe	100
PID 2672 wrote to memory of 2564	2672	{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe	101
PID 2672 wrote to memory of 2564	2672	{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe	101
PID 2672 wrote to memory of 2564	2672	{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe	101
PID 3304 wrote to memory of 3728	3304	{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe	102
PID 3304 wrote to memory of 3728	3304	{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe	102
PID 3304 wrote to memory of 3728	3304	{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe	102
PID 3304 wrote to memory of 2544	3304	{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe	103
PID 3304 wrote to memory of 2544	3304	{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe	103
PID 3304 wrote to memory of 2544	3304	{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe	103
PID 3728 wrote to memory of 4088	3728	{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe	104
PID 3728 wrote to memory of 4088	3728	{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe	104
PID 3728 wrote to memory of 4088	3728	{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe	104
PID 3728 wrote to memory of 2360	3728	{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe	105
PID 3728 wrote to memory of 2360	3728	{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe	105
PID 3728 wrote to memory of 2360	3728	{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe	105
PID 4088 wrote to memory of 4436	4088	{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe	106
PID 4088 wrote to memory of 4436	4088	{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe	106
PID 4088 wrote to memory of 4436	4088	{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe	106
PID 4088 wrote to memory of 4348	4088	{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe	107
PID 4088 wrote to memory of 4348	4088	{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe	107
PID 4088 wrote to memory of 4348	4088	{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe	107
PID 4436 wrote to memory of 4848	4436	{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe	108
PID 4436 wrote to memory of 4848	4436	{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe	108
PID 4436 wrote to memory of 4848	4436	{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe	108
PID 4436 wrote to memory of 2716	4436	{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe	109
PID 4436 wrote to memory of 2716	4436	{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe	109
PID 4436 wrote to memory of 2716	4436	{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe	109
PID 4848 wrote to memory of 3480	4848	{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe	110
PID 4848 wrote to memory of 3480	4848	{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe	110
PID 4848 wrote to memory of 3480	4848	{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe	110
PID 4848 wrote to memory of 3424	4848	{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe	111
PID 4848 wrote to memory of 3424	4848	{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe	111
PID 4848 wrote to memory of 3424	4848	{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe	111
PID 3480 wrote to memory of 5080	3480	{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe	112
PID 3480 wrote to memory of 5080	3480	{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe	112
PID 3480 wrote to memory of 5080	3480	{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe	112
PID 3480 wrote to memory of 740	3480	{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe	113
PID 3480 wrote to memory of 740	3480	{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe	113
PID 3480 wrote to memory of 740	3480	{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe	113

C:\Users\Admin\AppData\Local\Temp\79773875e2393fe3f19da7d759a0f550N.exe
"C:\Users\Admin\AppData\Local\Temp\79773875e2393fe3f19da7d759a0f550N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\{32035224-EA95-4248-9AB8-C25437525BE4}.exe
  C:\Windows\{32035224-EA95-4248-9AB8-C25437525BE4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe
    C:\Windows\{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe
      C:\Windows\{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Windows\{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe
        
        C:\Windows\{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Windows\{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe
        
        C:\Windows\{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe
        
        C:\Windows\{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe
        
        C:\Windows\{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe
        
        C:\Windows\{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\{4D2CA4F5-E1DC-445c-B520-50C9A66C2D27}.exe
        
        C:\Windows\{4D2CA4F5-E1DC-445c-B520-50C9A66C2D27}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F188F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D961B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70443~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7058~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98EF2~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6405~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D0269~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{32035~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\797738~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{32035224-EA95-4248-9AB8-C25437525BE4}.exe

Filesize
79KB

MD5
e92796c62ccff0b4641c51df24fdb9bf

SHA1
162cc58f7c70d9ccb02242f9c4289d6c3e85c727

SHA256
b798ae1af2a4d5fb6b3b9aded3df604a24a1acc57d32f00abc3da30019af254c

SHA512
9052ef9407a7f093034538d2c14bdc168b21058063d5b2f6301622137d37135313425784a4a52018938aaf987e75b4c6d49de1445bc23417024279864302e713

Download Submit
C:\Windows\{4D2CA4F5-E1DC-445c-B520-50C9A66C2D27}.exe

Filesize
79KB

MD5
2bc5c066cee60d4f819bcdbc48c0e275

SHA1
d7ee3226cad3192887dd89e6efd22245582bcfed

SHA256
ea827cdb84072d8e0fa6b9e304bf9c076e3f76d8672160c517dee627e7f4c710

SHA512
475f19e2b025d13f3558f26f939d9c47fdf2c96500ccbe5071d59d499519bdb9767402ecbc5b3968ed6db9402aa2b800cbc7102b5786c60b49537cf76156ae20

Download Submit
C:\Windows\{70443198-3E21-44e8-91F3-9829B45BFBFC}.exe

Filesize
79KB

MD5
49ec558d3c440ae1e2c9889456813d4c

SHA1
511c383af9cc6a2f6fa427ec2277b91ced43e731

SHA256
95d60544394a0fcd9811a33301f52bf479d846eca7d0144e200e7278c80aa8ef

SHA512
e12313ffde12e7d5d85eb48725b4257029cd65684ef6d78ab08b9d24200eb688067b6a44f9507274f61cf89ca18266bdab0b7f9b6f1bb47ee8584fb6cb47b92f

Download Submit
C:\Windows\{98EF2468-EB41-45eb-8A67-6D9239876F2E}.exe

Filesize
79KB

MD5
cd3a9432e077ad357c3c14a89c1b4ecd

SHA1
05f65d72496f30e9afd478bf9bcb82dc3b4ad7eb

SHA256
f6220cf4d810e63fd641fe6a071d5e6c221131f5bbfa7c8a1fc34089f3dd7fe0

SHA512
10af105f8e2b0cbdf0549690f80f4e4fa1781d76142e0b5b4b6f24d07a43b59ea1289c6f4f8636b391b9427f76cf69da741f3dfdc9e112e9c095239d72a43fa2

Download Submit
C:\Windows\{A7058A74-A76F-48c7-9DC9-6B265E7E94B3}.exe

Filesize
79KB

MD5
ef38fb5b3b4e3d3a41b5c217e2ad78d5

SHA1
e741259c52b60c56e3d3b3e903ed22d241dacd38

SHA256
f5b4a0cb3ad3557afac32fdc1f3f677096a615323de8ad5051bd51eed057edf6

SHA512
055b44fd7f8ad4e59a4a59355a3d003ff67a62c4ca543e5a4ce30727194b8be3214b4fb76bba70649f020aad674785447821e4e116fbba2c5822b0dfa75e31d2

Download Submit
C:\Windows\{D02697C7-4401-45c9-A0DF-173DCA860A26}.exe

Filesize
79KB

MD5
1fc19bfd9d37e8bb46e26768b0603808

SHA1
77c542fe8e112452733c8049a64d8615ff9cbe38

SHA256
24e00801d2c134d83f16f2084266d2df247877f42d57dc678fe7a13cf89e18e8

SHA512
16d911594e00fbdcf09e7e7eb8e4f00249c52912301e6e1224a2a90357b8ee022d91c7fa88f7c4b5a3199896fe5239387de63038772a0e8d11ca0b7f93f4849d

Download Submit
C:\Windows\{D961B77C-0767-45ae-BBEF-8A753F77AB71}.exe

Filesize
79KB

MD5
1a072d06b9f6ba134e9f7b981a300680

SHA1
8bb20711979f6d899b583e68f4d481e1e7c2b2aa

SHA256
257206135d00fdb47ad9a6e83582bf0a8fedcfe906d614ec4aa0fcece44cf9f7

SHA512
6877bef179b3b88026c5986c1b998ea0ee099ebb5e5353bfb44f3cf1ff17c581e581534cba6d9b7264ea875fec58efc358417dea5187113144bb64657251e596

Download Submit
C:\Windows\{E6405ADB-F3FB-4d11-BA01-8BB84D3FC960}.exe

Filesize
79KB

MD5
fa61c4564933748a28496ea1de20f091

SHA1
158436cdef7cc2d83bc48cfebdbd542970c19df9

SHA256
71da9d867f32709bad683c152660a6c7127e3e3b132effaa8cd2c2f1c88bcb02

SHA512
106695421dc1ff71a40cdd996ab7619280a254afa58b8af0da3416271ffa9dc04b0151d91154f38748e3b40fa06ebc8c9d589e91e2fa4ee29a1299127a3824b5

Download Submit
C:\Windows\{F188FBBB-99BE-4c4f-8312-DD0B481F3DEA}.exe

Filesize
79KB

MD5
7635afcfd6f153fbf2be86bc609b7748

SHA1
b157383a24278c3a8ae046b8bd0a40c2844cd389

SHA256
81b0b02e5b757ac2a1fc09ee66210a790ab798b2f556504aa9822a113288c27f

SHA512
90e641f9f730b9123bcfec83a235d555ac0952273b74a06263f3dc9d62ea3b142e161e4fc6b993405c476692263c0396e5909d44db275795380bd295e863dffa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads