c2e6bba0e03909b106d8e934fd01f5f2da51c139216f09d2feecdcd68c948e89

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
Size

89KB
MD5

6e58f01b8c6f9c74156bd4a3c1a4d840
SHA1

a2127dc680db9aaa4420d813d12b402ee0729ab2
SHA256

c2e6bba0e03909b106d8e934fd01f5f2da51c139216f09d2feecdcd68c948e89
SHA512

e43414a7c9cd3b0b1d4bf54e94238ec4caa7b25bb58c5dbd9040fc0d06a28cb2e80c2c00669429cf55b2b5b1786c7deb3d6ecc7cf077f456a014ec25dd9977c0
SSDEEP

768:Qvw9816vhKQLroh4/wQRNrfrunMxVFA3b7glL:YEGh0ohl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D49F6C06-8D57-4422-AA3D-131E31878BC8}	{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9283C2C1-1D07-4083-80C7-ECB95E6EF581}\stubpath = "C:\\Windows\\{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe"	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{706F69CC-2903-42b2-848E-4F7D15D86513}\stubpath = "C:\\Windows\\{706F69CC-2903-42b2-848E-4F7D15D86513}.exe"	{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{132E6029-FED2-40a8-ABC5-0DCE50843EBC}	{706F69CC-2903-42b2-848E-4F7D15D86513}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{132E6029-FED2-40a8-ABC5-0DCE50843EBC}\stubpath = "C:\\Windows\\{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe"	{706F69CC-2903-42b2-848E-4F7D15D86513}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9283C2C1-1D07-4083-80C7-ECB95E6EF581}	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41D4A4DC-022C-4eb0-8F35-59591855EEF9}	{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F2E1BDA-2692-43c0-9212-A919183D63D7}	{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11C1A352-5F7F-41cd-BDBA-7238A49DF738}\stubpath = "C:\\Windows\\{11C1A352-5F7F-41cd-BDBA-7238A49DF738}.exe"	{2050A569-E795-4f73-98F9-6D76AF07449D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}	{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}\stubpath = "C:\\Windows\\{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe"	{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D49F6C06-8D57-4422-AA3D-131E31878BC8}\stubpath = "C:\\Windows\\{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe"	{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2050A569-E795-4f73-98F9-6D76AF07449D}	{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11C1A352-5F7F-41cd-BDBA-7238A49DF738}	{2050A569-E795-4f73-98F9-6D76AF07449D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41D4A4DC-022C-4eb0-8F35-59591855EEF9}\stubpath = "C:\\Windows\\{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe"	{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{706F69CC-2903-42b2-848E-4F7D15D86513}	{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F2E1BDA-2692-43c0-9212-A919183D63D7}\stubpath = "C:\\Windows\\{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe"	{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2050A569-E795-4f73-98F9-6D76AF07449D}\stubpath = "C:\\Windows\\{2050A569-E795-4f73-98F9-6D76AF07449D}.exe"	{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe

Executes dropped EXE 9 IoCs

pid	Process
3232	{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe
3460	{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe
4076	{706F69CC-2903-42b2-848E-4F7D15D86513}.exe
4552	{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe
2540	{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe
1356	{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe
3888	{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe
2528	{2050A569-E795-4f73-98F9-6D76AF07449D}.exe
1820	{11C1A352-5F7F-41cd-BDBA-7238A49DF738}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
File created	C:\Windows\{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe	{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe
File created	C:\Windows\{706F69CC-2903-42b2-848E-4F7D15D86513}.exe	{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe
File created	C:\Windows\{2050A569-E795-4f73-98F9-6D76AF07449D}.exe	{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe
File created	C:\Windows\{11C1A352-5F7F-41cd-BDBA-7238A49DF738}.exe	{2050A569-E795-4f73-98F9-6D76AF07449D}.exe
File created	C:\Windows\{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe	{706F69CC-2903-42b2-848E-4F7D15D86513}.exe
File created	C:\Windows\{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe	{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe
File created	C:\Windows\{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe	{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe
File created	C:\Windows\{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe	{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11C1A352-5F7F-41cd-BDBA-7238A49DF738}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{706F69CC-2903-42b2-848E-4F7D15D86513}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2050A569-E795-4f73-98F9-6D76AF07449D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1788	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
Token: SeIncBasePriorityPrivilege	3232	{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe
Token: SeIncBasePriorityPrivilege	3460	{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe
Token: SeIncBasePriorityPrivilege	4076	{706F69CC-2903-42b2-848E-4F7D15D86513}.exe
Token: SeIncBasePriorityPrivilege	4552	{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe
Token: SeIncBasePriorityPrivilege	2540	{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe
Token: SeIncBasePriorityPrivilege	1356	{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe
Token: SeIncBasePriorityPrivilege	3888	{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe
Token: SeIncBasePriorityPrivilege	2528	{2050A569-E795-4f73-98F9-6D76AF07449D}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 3232	1788	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	93
PID 1788 wrote to memory of 3232	1788	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	93
PID 1788 wrote to memory of 3232	1788	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	93
PID 1788 wrote to memory of 1172	1788	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	94
PID 1788 wrote to memory of 1172	1788	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	94
PID 1788 wrote to memory of 1172	1788	6e58f01b8c6f9c74156bd4a3c1a4d840N.exe	94
PID 3232 wrote to memory of 3460	3232	{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe	95
PID 3232 wrote to memory of 3460	3232	{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe	95
PID 3232 wrote to memory of 3460	3232	{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe	95
PID 3232 wrote to memory of 3948	3232	{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe	96
PID 3232 wrote to memory of 3948	3232	{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe	96
PID 3232 wrote to memory of 3948	3232	{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe	96
PID 3460 wrote to memory of 4076	3460	{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe	99
PID 3460 wrote to memory of 4076	3460	{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe	99
PID 3460 wrote to memory of 4076	3460	{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe	99
PID 3460 wrote to memory of 4252	3460	{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe	100
PID 3460 wrote to memory of 4252	3460	{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe	100
PID 3460 wrote to memory of 4252	3460	{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe	100
PID 4076 wrote to memory of 4552	4076	{706F69CC-2903-42b2-848E-4F7D15D86513}.exe	101
PID 4076 wrote to memory of 4552	4076	{706F69CC-2903-42b2-848E-4F7D15D86513}.exe	101
PID 4076 wrote to memory of 4552	4076	{706F69CC-2903-42b2-848E-4F7D15D86513}.exe	101
PID 4076 wrote to memory of 3564	4076	{706F69CC-2903-42b2-848E-4F7D15D86513}.exe	102
PID 4076 wrote to memory of 3564	4076	{706F69CC-2903-42b2-848E-4F7D15D86513}.exe	102
PID 4076 wrote to memory of 3564	4076	{706F69CC-2903-42b2-848E-4F7D15D86513}.exe	102
PID 4552 wrote to memory of 2540	4552	{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe	103
PID 4552 wrote to memory of 2540	4552	{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe	103
PID 4552 wrote to memory of 2540	4552	{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe	103
PID 4552 wrote to memory of 2748	4552	{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe	104
PID 4552 wrote to memory of 2748	4552	{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe	104
PID 4552 wrote to memory of 2748	4552	{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe	104
PID 2540 wrote to memory of 1356	2540	{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe	105
PID 2540 wrote to memory of 1356	2540	{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe	105
PID 2540 wrote to memory of 1356	2540	{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe	105
PID 2540 wrote to memory of 3620	2540	{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe	106
PID 2540 wrote to memory of 3620	2540	{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe	106
PID 2540 wrote to memory of 3620	2540	{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe	106
PID 1356 wrote to memory of 3888	1356	{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe	107
PID 1356 wrote to memory of 3888	1356	{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe	107
PID 1356 wrote to memory of 3888	1356	{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe	107
PID 1356 wrote to memory of 3220	1356	{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe	108
PID 1356 wrote to memory of 3220	1356	{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe	108
PID 1356 wrote to memory of 3220	1356	{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe	108
PID 3888 wrote to memory of 2528	3888	{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe	109
PID 3888 wrote to memory of 2528	3888	{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe	109
PID 3888 wrote to memory of 2528	3888	{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe	109
PID 3888 wrote to memory of 2516	3888	{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe	110
PID 3888 wrote to memory of 2516	3888	{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe	110
PID 3888 wrote to memory of 2516	3888	{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe	110
PID 2528 wrote to memory of 1820	2528	{2050A569-E795-4f73-98F9-6D76AF07449D}.exe	111
PID 2528 wrote to memory of 1820	2528	{2050A569-E795-4f73-98F9-6D76AF07449D}.exe	111
PID 2528 wrote to memory of 1820	2528	{2050A569-E795-4f73-98F9-6D76AF07449D}.exe	111
PID 2528 wrote to memory of 1264	2528	{2050A569-E795-4f73-98F9-6D76AF07449D}.exe	112
PID 2528 wrote to memory of 1264	2528	{2050A569-E795-4f73-98F9-6D76AF07449D}.exe	112
PID 2528 wrote to memory of 1264	2528	{2050A569-E795-4f73-98F9-6D76AF07449D}.exe	112

C:\Users\Admin\AppData\Local\Temp\6e58f01b8c6f9c74156bd4a3c1a4d840N.exe
"C:\Users\Admin\AppData\Local\Temp\6e58f01b8c6f9c74156bd4a3c1a4d840N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe
  C:\Windows\{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe
    C:\Windows\{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\{706F69CC-2903-42b2-848E-4F7D15D86513}.exe
      C:\Windows\{706F69CC-2903-42b2-848E-4F7D15D86513}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4076
    - - C:\Windows\{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe
        
        C:\Windows\{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4552
      - C:\Windows\{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe
        
        C:\Windows\{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe
        
        C:\Windows\{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe
        
        C:\Windows\{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\{2050A569-E795-4f73-98F9-6D76AF07449D}.exe
        
        C:\Windows\{2050A569-E795-4f73-98F9-6D76AF07449D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{11C1A352-5F7F-41cd-BDBA-7238A49DF738}.exe
        
        C:\Windows\{11C1A352-5F7F-41cd-BDBA-7238A49DF738}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2050A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D49F6~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7117E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F2E1~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{132E6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{706F6~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{41D4A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9283C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6E58F0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11C1A352-5F7F-41cd-BDBA-7238A49DF738}.exe

Filesize
89KB

MD5
c7486af68c4d2de16d1093d2717836ff

SHA1
7ccd6fedf446ef626120acb4b0f2c3e733ba167a

SHA256
7a24b7bfc66baa9f46a4507112b8c8a0ba0b8412c96506bbaeb9b22f21b88287

SHA512
d36f7f394d07c59fce8cf4d8aaeecba84564751d22dea547fcb33d01d81122f6ac6922884a9a7a5c72d1252c1259a6db0beba64c962af32e953be51178272b2f

Download Submit
C:\Windows\{132E6029-FED2-40a8-ABC5-0DCE50843EBC}.exe

Filesize
89KB

MD5
9838fafc4971e615ef0a7d93b37c5bcf

SHA1
4a0d20da0523594ea599c7d3b68f7437e8055161

SHA256
bdd43101303c4f92584a8d2283d15b0a82e9ad68939cdd853a6396d134ea13a1

SHA512
8ef2d312743ac25c4bbe22120ae81533e708a8e9b8a575e18fdd6503ef2c02319335642911bc71afed68c2d6ff851362c28dc6edad0d74829dd7bf65b348c00f

Download Submit
C:\Windows\{2050A569-E795-4f73-98F9-6D76AF07449D}.exe

Filesize
89KB

MD5
0c384af0686bbd7ab0e02f336b193c32

SHA1
65fca725c48444340b3c4cb6d83507682ba11d91

SHA256
3d4b5f0cb0f95b4fc360af592ead0972b61b0ec31ed627680a6b25224fce5df3

SHA512
800a5f6180544140cf7fbe90005265f1bf5aa6c89964870aed1d9d1ba7b3b675bc6df528c044750e60b051c897f216ff6e36ce2d38a153ff374db42be5ff036e

Download Submit
C:\Windows\{41D4A4DC-022C-4eb0-8F35-59591855EEF9}.exe

Filesize
89KB

MD5
2db36ec390c017fbef27df36d672f0d6

SHA1
d407920db974f7d16a800d788fd0bb768c5bed62

SHA256
30065b9211f64015ab8b35bc7727b9f9c4d52199d031269128aba99bdd808e5b

SHA512
24ccc6305eaf5561edd8fa35c177e081af78f27132a2d5c7ba97980b9a1f329240f4e84d94c3cb0c044fc4912569b0a9c5b611e9b5399b51d3183c1d80bb8600

Download Submit
C:\Windows\{6F2E1BDA-2692-43c0-9212-A919183D63D7}.exe

Filesize
89KB

MD5
48b2475ecdead169a7e23a145d1185e9

SHA1
87e00d40c9b24589ce22db8d2be782a1a2b251d5

SHA256
92d41c320494a9416ceb12c50af3d4ee9244e2e2740283ded68b6780f910f35c

SHA512
2767b3548195abd9b19a886db0a26bbc3a181edef0722bbdaf9e9263e65678a5ff9bc68a9c3440eb6bf6f3ad052fa415be84da3d23ba48003e62884c4e67840e

Download Submit
C:\Windows\{706F69CC-2903-42b2-848E-4F7D15D86513}.exe

Filesize
89KB

MD5
0c8258f70226c6f3c06dcf04f7698d2a

SHA1
42ded54aa3a11567b56508bc088329d937a2d89c

SHA256
a318964cb24fdd02d794d343050d32a86a637ea5362fd2a9475beafa6501e8bf

SHA512
6cb0cc0efe2392a0d0740ac44456e58b4502023edab0b7c02b8cc20267d66bfc9da7d2782c543b5304c42b7ad13405057a1438ec0c87e1d698c7f5f547a09c2b

Download Submit
C:\Windows\{7117EC4F-5748-44a0-9EE8-7879E36B3EF5}.exe

Filesize
89KB

MD5
23b399e507ad7b2569107498551928ea

SHA1
db464416f8c6c02411d2ae3234a09626b1afb91c

SHA256
7f19b732f72c3ae5a230b9cacba7e255a16904495df2eaf72b8414b3066f4762

SHA512
786bb2289f51abd7e37693f7c64827da0578572d5dff5c147d99708795a9e3a7f6c2bb5908d796f7afe502291c7bfb52c84ddcf7a41cabcae589de88d9965c24

Download Submit
C:\Windows\{9283C2C1-1D07-4083-80C7-ECB95E6EF581}.exe

Filesize
89KB

MD5
63f693739159fd994ac54b6fcfc0a21b

SHA1
ec81a7cfe3542622fa3f80e97d3acaa6418ea050

SHA256
874a5ae321919dbb2910a3c5fdd4d957a7e51c974be7965864782e40fb0d268f

SHA512
f50fb90068fef9727eac499eae201461f22f5824fd6aa209ca5dbfecb1c424e60ae87967c0de78d75dd6ec7c8b6b948e9f1d83fd653c724eb359bdd1cc327fca

Download Submit
C:\Windows\{D49F6C06-8D57-4422-AA3D-131E31878BC8}.exe

Filesize
89KB

MD5
2eac1a8968db4fe0304556f3beb84328

SHA1
ba70096a9d4a4b332b168f25a308c31ecc5d1c5c

SHA256
bbb774f41e8c7b204564092a57b5d992f1f158f0c1ccb5a55d429b5b1e4af4f5

SHA512
0d266132fb8f062c2a8ca1b3b82a0414d559405c783708d7536168569d357bb877e8c879be05dfa11c866dc62245235ff5c59ca76375fb9d8f75c79a09456fa2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads