c2e6bba0e03909b106d8e934fd01f5f2da51c139216f09d2feecdcd68c948e89

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
Size

89KB
MD5

6e58f01b8c6f9c74156bd4a3c1a4d840
SHA1

a2127dc680db9aaa4420d813d12b402ee0729ab2
SHA256

c2e6bba0e03909b106d8e934fd01f5f2da51c139216f09d2feecdcd68c948e89
SHA512

e43414a7c9cd3b0b1d4bf54e94238ec4caa7b25bb58c5dbd9040fc0d06a28cb2e80c2c00669429cf55b2b5b1786c7deb3d6ecc7cf077f456a014ec25dd9977c0
SSDEEP

768:Qvw9816vhKQLroh4/wQRNrfrunMxVFA3b7glL:YEGh0ohl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}\stubpath = "C:\\Windows\\{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe"	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81F209C9-47E2-4caf-AF34-6D1FB190A651}	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75D5D706-03B8-47ee-B614-27FC2B3CBCCA}\stubpath = "C:\\Windows\\{75D5D706-03B8-47ee-B614-27FC2B3CBCCA}.exe"	{4E849D31-6548-464c-8EF7-BCF94CA8B60E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFDF8D03-160E-4b16-9726-1E608C4A1E73}	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC2125C7-2961-466b-9A55-18185CBD890B}	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC2125C7-2961-466b-9A55-18185CBD890B}\stubpath = "C:\\Windows\\{BC2125C7-2961-466b-9A55-18185CBD890B}.exe"	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}\stubpath = "C:\\Windows\\{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe"	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E849D31-6548-464c-8EF7-BCF94CA8B60E}\stubpath = "C:\\Windows\\{4E849D31-6548-464c-8EF7-BCF94CA8B60E}.exe"	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6929C38C-F385-4946-990B-0AFECE3E4631}	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFDF8D03-160E-4b16-9726-1E608C4A1E73}\stubpath = "C:\\Windows\\{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe"	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81F209C9-47E2-4caf-AF34-6D1FB190A651}\stubpath = "C:\\Windows\\{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe"	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CAF6193-39BF-4bb0-8F57-71674922F63A}	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E849D31-6548-464c-8EF7-BCF94CA8B60E}	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75D5D706-03B8-47ee-B614-27FC2B3CBCCA}	{4E849D31-6548-464c-8EF7-BCF94CA8B60E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6929C38C-F385-4946-990B-0AFECE3E4631}\stubpath = "C:\\Windows\\{6929C38C-F385-4946-990B-0AFECE3E4631}.exe"	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CAF6193-39BF-4bb0-8F57-71674922F63A}\stubpath = "C:\\Windows\\{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe"	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe

Deletes itself 1 IoCs

pid	Process
2116	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1748	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe
2888	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe
3016	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe
2688	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe
2300	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe
1140	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe
2812	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe
2036	{4E849D31-6548-464c-8EF7-BCF94CA8B60E}.exe
2488	{75D5D706-03B8-47ee-B614-27FC2B3CBCCA}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{6929C38C-F385-4946-990B-0AFECE3E4631}.exe	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe
File created	C:\Windows\{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe
File created	C:\Windows\{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe
File created	C:\Windows\{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe
File created	C:\Windows\{4E849D31-6548-464c-8EF7-BCF94CA8B60E}.exe	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe
File created	C:\Windows\{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
File created	C:\Windows\{BC2125C7-2961-466b-9A55-18185CBD890B}.exe	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe
File created	C:\Windows\{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe
File created	C:\Windows\{75D5D706-03B8-47ee-B614-27FC2B3CBCCA}.exe	{4E849D31-6548-464c-8EF7-BCF94CA8B60E}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E849D31-6548-464c-8EF7-BCF94CA8B60E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75D5D706-03B8-47ee-B614-27FC2B3CBCCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2712	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
Token: SeIncBasePriorityPrivilege	1748	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe
Token: SeIncBasePriorityPrivilege	2888	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe
Token: SeIncBasePriorityPrivilege	3016	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe
Token: SeIncBasePriorityPrivilege	2688	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe
Token: SeIncBasePriorityPrivilege	2300	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe
Token: SeIncBasePriorityPrivilege	1140	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe
Token: SeIncBasePriorityPrivilege	2812	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe
Token: SeIncBasePriorityPrivilege	2036	{4E849D31-6548-464c-8EF7-BCF94CA8B60E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 1748	2712	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	30
PID 2712 wrote to memory of 1748	2712	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	30
PID 2712 wrote to memory of 1748	2712	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	30
PID 2712 wrote to memory of 1748	2712	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	30
PID 2712 wrote to memory of 2116	2712	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	31
PID 2712 wrote to memory of 2116	2712	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	31
PID 2712 wrote to memory of 2116	2712	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	31
PID 2712 wrote to memory of 2116	2712	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	31
PID 1748 wrote to memory of 2888	1748	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe	33
PID 1748 wrote to memory of 2888	1748	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe	33
PID 1748 wrote to memory of 2888	1748	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe	33
PID 1748 wrote to memory of 2888	1748	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe	33
PID 1748 wrote to memory of 2920	1748	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe	34
PID 1748 wrote to memory of 2920	1748	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe	34
PID 1748 wrote to memory of 2920	1748	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe	34
PID 1748 wrote to memory of 2920	1748	{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe	34
PID 2888 wrote to memory of 3016	2888	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe	35
PID 2888 wrote to memory of 3016	2888	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe	35
PID 2888 wrote to memory of 3016	2888	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe	35
PID 2888 wrote to memory of 3016	2888	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe	35
PID 2888 wrote to memory of 2956	2888	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe	36
PID 2888 wrote to memory of 2956	2888	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe	36
PID 2888 wrote to memory of 2956	2888	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe	36
PID 2888 wrote to memory of 2956	2888	{6929C38C-F385-4946-990B-0AFECE3E4631}.exe	36
PID 3016 wrote to memory of 2688	3016	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe	37
PID 3016 wrote to memory of 2688	3016	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe	37
PID 3016 wrote to memory of 2688	3016	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe	37
PID 3016 wrote to memory of 2688	3016	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe	37
PID 3016 wrote to memory of 2628	3016	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe	38
PID 3016 wrote to memory of 2628	3016	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe	38
PID 3016 wrote to memory of 2628	3016	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe	38
PID 3016 wrote to memory of 2628	3016	{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe	38
PID 2688 wrote to memory of 2300	2688	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe	39
PID 2688 wrote to memory of 2300	2688	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe	39
PID 2688 wrote to memory of 2300	2688	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe	39
PID 2688 wrote to memory of 2300	2688	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe	39
PID 2688 wrote to memory of 2252	2688	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe	40
PID 2688 wrote to memory of 2252	2688	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe	40
PID 2688 wrote to memory of 2252	2688	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe	40
PID 2688 wrote to memory of 2252	2688	{BC2125C7-2961-466b-9A55-18185CBD890B}.exe	40
PID 2300 wrote to memory of 1140	2300	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe	41
PID 2300 wrote to memory of 1140	2300	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe	41
PID 2300 wrote to memory of 1140	2300	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe	41
PID 2300 wrote to memory of 1140	2300	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe	41
PID 2300 wrote to memory of 1948	2300	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe	42
PID 2300 wrote to memory of 1948	2300	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe	42
PID 2300 wrote to memory of 1948	2300	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe	42
PID 2300 wrote to memory of 1948	2300	{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe	42
PID 1140 wrote to memory of 2812	1140	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe	43
PID 1140 wrote to memory of 2812	1140	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe	43
PID 1140 wrote to memory of 2812	1140	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe	43
PID 1140 wrote to memory of 2812	1140	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe	43
PID 1140 wrote to memory of 2844	1140	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe	44
PID 1140 wrote to memory of 2844	1140	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe	44
PID 1140 wrote to memory of 2844	1140	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe	44
PID 1140 wrote to memory of 2844	1140	{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe	44
PID 2812 wrote to memory of 2036	2812	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe	45
PID 2812 wrote to memory of 2036	2812	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe	45
PID 2812 wrote to memory of 2036	2812	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe	45
PID 2812 wrote to memory of 2036	2812	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe	45
PID 2812 wrote to memory of 2020	2812	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe	46
PID 2812 wrote to memory of 2020	2812	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe	46
PID 2812 wrote to memory of 2020	2812	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe	46
PID 2812 wrote to memory of 2020	2812	{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe	46

C:\Users\Admin\AppData\Local\Temp\6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
"C:\Users\Admin\AppData\Local\Temp\6e58f01b8c6f9c74156bd4a3c1a4d840N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe
  C:\Windows\{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\{6929C38C-F385-4946-990B-0AFECE3E4631}.exe
    C:\Windows\{6929C38C-F385-4946-990B-0AFECE3E4631}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe
      C:\Windows\{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\{BC2125C7-2961-466b-9A55-18185CBD890B}.exe
        
        C:\Windows\{BC2125C7-2961-466b-9A55-18185CBD890B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe
        
        C:\Windows\{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe
        
        C:\Windows\{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe
        
        C:\Windows\{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{4E849D31-6548-464c-8EF7-BCF94CA8B60E}.exe
        
        C:\Windows\{4E849D31-6548-464c-8EF7-BCF94CA8B60E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\{75D5D706-03B8-47ee-B614-27FC2B3CBCCA}.exe
        
        C:\Windows\{75D5D706-03B8-47ee-B614-27FC2B3CBCCA}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E849~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CAF6~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB9CB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81F20~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC212~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFDF8~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6929C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E93CE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6E58F0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4E849D31-6548-464c-8EF7-BCF94CA8B60E}.exe

Filesize
89KB

MD5
8842977fdc3650786bb79d4e958a2e7b

SHA1
01bc3cefee46576adfcad119b289e9c905d4f3ba

SHA256
c584dc4d8668d32fa603f018877cb7cbc548d3207372901300d724f3e70f7d5d

SHA512
597ca98391a86fdfd705e22bca329b0426f3e7484caf3b9d15a5c89bd5a457fcf0fba9b8e9c7778d1e6b87e5a245681a70d54b5e85ee41aac22769184f0ba059

Download Submit
C:\Windows\{6929C38C-F385-4946-990B-0AFECE3E4631}.exe

Filesize
89KB

MD5
004b270ffde966d52419e3ff03be0412

SHA1
f32f3a21201cc3a498e283e03f405f15ac264a50

SHA256
3b05f9a5c3ab06c075b7b8384f585618aa4801d46b12667b4baf61a618517f7e

SHA512
48ffdcced3d5dfff84618c3e5a938c4f789c28197b07719a8ad2a72ab2b23da2e5bb79396ed2ff3e54347f07eca7367b205386a2583bf2ee56a1dd8ae265ac9d

Download Submit
C:\Windows\{75D5D706-03B8-47ee-B614-27FC2B3CBCCA}.exe

Filesize
89KB

MD5
15e64434cf797baf953cfce93ceb124b

SHA1
777b49c4a338fb01e627d73efd67f5cfc82aee23

SHA256
bc5b172a2baeb8d25ff80ef8f22032cf530d69301f45332ba7cf9ad35f7ec97a

SHA512
4941d355aa8c4cf529a1d3f3fcfcf5604bd38035d793367727ee527127fa6c4988fc642324188f7165844d92d1960ecde6e23c9563f046760e9e04419f5c0a00

Download Submit
C:\Windows\{81F209C9-47E2-4caf-AF34-6D1FB190A651}.exe

Filesize
89KB

MD5
dbbf7a1bc6a2d77d962d07e2e5b74058

SHA1
be35201543f23ff31a0a88f7dd0aee419e0f2d67

SHA256
7955c770c7a9b7617e5f4323f21a78da40c9ab4421881046aa73429649d26d09

SHA512
42b1f313dfc31824fbf555fb1d51c50f9f7655feadeccd033b972b28553fd16487c30ddeb0260b4c802628b6ee8d3b46e90671e00aa5e0bedb2aeb69846b432d

Download Submit
C:\Windows\{8CAF6193-39BF-4bb0-8F57-71674922F63A}.exe

Filesize
89KB

MD5
2210a104d35a721905878636ffc73eb3

SHA1
07df123fe2b67a1af22d1fd0c9b7af5ce2853715

SHA256
cd77e6ccf5577e76ceb09015ef74b686335e51ef50aeb362e9a6773b81d78dae

SHA512
46c8c1a96d7396b2c92b05e0e903ee4388b96cb0f7285e257f8db38814c0219b8daf9fd94ae6704f2c0f2ac3fa253664b3e3fa013ee110822661d65e083f0bea

Download Submit
C:\Windows\{BC2125C7-2961-466b-9A55-18185CBD890B}.exe

Filesize
89KB

MD5
a6b384bfc938131d7213a601643a106f

SHA1
c5b3397ea8a9124520019db2ab66c38c52703586

SHA256
d2c14da9a821e069cd3c12823b0a97611cf8fe9e014aff60b07bdbc4291dd271

SHA512
1694a3f5e81e47671d89ac37e0396c26e274f5e87b1316a7941767a07f6bc8ae76f961d2e33a7284f0bbc2e44d312ab43bd1fe7ca5418e3fbf863ec828439161

Download Submit
C:\Windows\{BFDF8D03-160E-4b16-9726-1E608C4A1E73}.exe

Filesize
89KB

MD5
3d8bb8d9c73bcd6a18cdc6784f03f1ab

SHA1
8a013640e6350583f301a7a6deef8580c83e50a1

SHA256
a5b2e88cf491e6d7c147d11b00cf147e1e492c6221ce7ee691c6d4cf1c545907

SHA512
bbd2a00d3416163f234aee52d78f36bf7ad2865165bca39c95a08fa0b1d82eae333a705b30120dcbc8f6ce9c66b2957ed01b2ba513cb84313adae135d4bf03f0

Download Submit
C:\Windows\{CB9CB113-AA19-415c-9537-AABEDE6C6B3F}.exe

Filesize
89KB

MD5
e80ab142d05bf26e21655685eb536295

SHA1
98fd5545f21dd59b523dfd87bb77a5b9aa6e616e

SHA256
2d38d1fef23a52e9e18062db9dfa7b4a14fc6a159dd1869af06088a2f4d0205d

SHA512
d0808236ee1b39f7504d7eff4bd387b729230f48c640395fd369bde864ca241d6b01a863152766fc2b6a1d62e84e6356450d98c8afa1595532ea97df0656a5e3

Download Submit
C:\Windows\{E93CE9CB-80B5-4874-B8B3-FBF0B80A7CB7}.exe

Filesize
89KB

MD5
2f8a752657fe61436c328770970667d9

SHA1
011a09beb791ff853f25c689e70aaa43a4a258f3

SHA256
b924a972a4b40ab30ea9c5c7d1e7c806cd363268fdd249c88f2192b63af17313

SHA512
9f17f9c425eb41e3ac893cabc9a978d1489ab46c40a733e286f550efcadaa0d64657ce5d93dab782fadc409f262e24f7c254348e58881a47f561e99882c1c6f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads