da50e9dead591acc6767031dd881c9f84ef28432bb633da62672dae0f21f40d0

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f98077fd0e38c10eb87848962c651410N.exe
Size

89KB
MD5

f98077fd0e38c10eb87848962c651410
SHA1

230a1a91e557f5c1a4a1c19707db8e55086220c3
SHA256

da50e9dead591acc6767031dd881c9f84ef28432bb633da62672dae0f21f40d0
SHA512

6e3c0bb22ac1cad150b0afe56ca4b53d70a6186126703c621fd6f115612cd1d854367f6b6e78d043f60d5947a71918b6cada12e9b25dd4164b65aee95018d094
SSDEEP

768:Qvw9816vhKQLrom4/wQRNrfrunMxVFA3b7gl5:YEGh0oml2unMxVS3HgX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}\stubpath = "C:\\Windows\\{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe"	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2299225B-FC17-4621-A74C-E3F860CDFBB8}	f98077fd0e38c10eb87848962c651410N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8894C17-F365-4f21-9DEE-26DE60D76314}	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B5BF565-DFD6-4671-B1F9-5FE832E147C4}\stubpath = "C:\\Windows\\{0B5BF565-DFD6-4671-B1F9-5FE832E147C4}.exe"	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C891E9F6-EEDA-42b1-8C9E-C423F052830C}\stubpath = "C:\\Windows\\{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe"	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AD56A67-AE1F-42ba-8A89-606CD60833CE}	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}\stubpath = "C:\\Windows\\{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe"	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C464E2F6-C883-4c79-88E6-8AB210955237}	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C464E2F6-C883-4c79-88E6-8AB210955237}\stubpath = "C:\\Windows\\{C464E2F6-C883-4c79-88E6-8AB210955237}.exe"	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B5BF565-DFD6-4671-B1F9-5FE832E147C4}	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65085731-9AA1-4510-AF81-5A462FDA97EC}\stubpath = "C:\\Windows\\{65085731-9AA1-4510-AF81-5A462FDA97EC}.exe"	{0B5BF565-DFD6-4671-B1F9-5FE832E147C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8894C17-F365-4f21-9DEE-26DE60D76314}\stubpath = "C:\\Windows\\{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe"	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AD56A67-AE1F-42ba-8A89-606CD60833CE}\stubpath = "C:\\Windows\\{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe"	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65085731-9AA1-4510-AF81-5A462FDA97EC}	{0B5BF565-DFD6-4671-B1F9-5FE832E147C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2299225B-FC17-4621-A74C-E3F860CDFBB8}\stubpath = "C:\\Windows\\{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe"	f98077fd0e38c10eb87848962c651410N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C891E9F6-EEDA-42b1-8C9E-C423F052830C}	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2756	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe
2176	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe
2548	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe
276	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe
1252	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe
1708	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe
2896	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe
2260	{0B5BF565-DFD6-4671-B1F9-5FE832E147C4}.exe
2112	{65085731-9AA1-4510-AF81-5A462FDA97EC}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe
File created	C:\Windows\{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe
File created	C:\Windows\{C464E2F6-C883-4c79-88E6-8AB210955237}.exe	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe
File created	C:\Windows\{0B5BF565-DFD6-4671-B1F9-5FE832E147C4}.exe	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe
File created	C:\Windows\{65085731-9AA1-4510-AF81-5A462FDA97EC}.exe	{0B5BF565-DFD6-4671-B1F9-5FE832E147C4}.exe
File created	C:\Windows\{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe
File created	C:\Windows\{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe
File created	C:\Windows\{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe
File created	C:\Windows\{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe	f98077fd0e38c10eb87848962c651410N.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f98077fd0e38c10eb87848962c651410N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65085731-9AA1-4510-AF81-5A462FDA97EC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B5BF565-DFD6-4671-B1F9-5FE832E147C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2168	f98077fd0e38c10eb87848962c651410N.exe
Token: SeIncBasePriorityPrivilege	2756	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe
Token: SeIncBasePriorityPrivilege	2176	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe
Token: SeIncBasePriorityPrivilege	2548	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe
Token: SeIncBasePriorityPrivilege	276	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe
Token: SeIncBasePriorityPrivilege	1252	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe
Token: SeIncBasePriorityPrivilege	1708	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe
Token: SeIncBasePriorityPrivilege	2896	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe
Token: SeIncBasePriorityPrivilege	2260	{0B5BF565-DFD6-4671-B1F9-5FE832E147C4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2756	2168	f98077fd0e38c10eb87848962c651410N.exe	30
PID 2168 wrote to memory of 2756	2168	f98077fd0e38c10eb87848962c651410N.exe	30
PID 2168 wrote to memory of 2756	2168	f98077fd0e38c10eb87848962c651410N.exe	30
PID 2168 wrote to memory of 2756	2168	f98077fd0e38c10eb87848962c651410N.exe	30
PID 2168 wrote to memory of 2836	2168	f98077fd0e38c10eb87848962c651410N.exe	31
PID 2168 wrote to memory of 2836	2168	f98077fd0e38c10eb87848962c651410N.exe	31
PID 2168 wrote to memory of 2836	2168	f98077fd0e38c10eb87848962c651410N.exe	31
PID 2168 wrote to memory of 2836	2168	f98077fd0e38c10eb87848962c651410N.exe	31
PID 2756 wrote to memory of 2176	2756	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe	32
PID 2756 wrote to memory of 2176	2756	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe	32
PID 2756 wrote to memory of 2176	2756	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe	32
PID 2756 wrote to memory of 2176	2756	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe	32
PID 2756 wrote to memory of 2928	2756	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe	33
PID 2756 wrote to memory of 2928	2756	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe	33
PID 2756 wrote to memory of 2928	2756	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe	33
PID 2756 wrote to memory of 2928	2756	{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe	33
PID 2176 wrote to memory of 2548	2176	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe	34
PID 2176 wrote to memory of 2548	2176	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe	34
PID 2176 wrote to memory of 2548	2176	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe	34
PID 2176 wrote to memory of 2548	2176	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe	34
PID 2176 wrote to memory of 2616	2176	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe	35
PID 2176 wrote to memory of 2616	2176	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe	35
PID 2176 wrote to memory of 2616	2176	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe	35
PID 2176 wrote to memory of 2616	2176	{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe	35
PID 2548 wrote to memory of 276	2548	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe	36
PID 2548 wrote to memory of 276	2548	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe	36
PID 2548 wrote to memory of 276	2548	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe	36
PID 2548 wrote to memory of 276	2548	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe	36
PID 2548 wrote to memory of 2968	2548	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe	37
PID 2548 wrote to memory of 2968	2548	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe	37
PID 2548 wrote to memory of 2968	2548	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe	37
PID 2548 wrote to memory of 2968	2548	{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe	37
PID 276 wrote to memory of 1252	276	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe	38
PID 276 wrote to memory of 1252	276	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe	38
PID 276 wrote to memory of 1252	276	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe	38
PID 276 wrote to memory of 1252	276	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe	38
PID 276 wrote to memory of 1908	276	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe	39
PID 276 wrote to memory of 1908	276	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe	39
PID 276 wrote to memory of 1908	276	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe	39
PID 276 wrote to memory of 1908	276	{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe	39
PID 1252 wrote to memory of 1708	1252	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe	40
PID 1252 wrote to memory of 1708	1252	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe	40
PID 1252 wrote to memory of 1708	1252	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe	40
PID 1252 wrote to memory of 1708	1252	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe	40
PID 1252 wrote to memory of 1488	1252	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe	41
PID 1252 wrote to memory of 1488	1252	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe	41
PID 1252 wrote to memory of 1488	1252	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe	41
PID 1252 wrote to memory of 1488	1252	{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe	41
PID 1708 wrote to memory of 2896	1708	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe	42
PID 1708 wrote to memory of 2896	1708	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe	42
PID 1708 wrote to memory of 2896	1708	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe	42
PID 1708 wrote to memory of 2896	1708	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe	42
PID 1708 wrote to memory of 2328	1708	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe	43
PID 1708 wrote to memory of 2328	1708	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe	43
PID 1708 wrote to memory of 2328	1708	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe	43
PID 1708 wrote to memory of 2328	1708	{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe	43
PID 2896 wrote to memory of 2260	2896	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe	44
PID 2896 wrote to memory of 2260	2896	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe	44
PID 2896 wrote to memory of 2260	2896	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe	44
PID 2896 wrote to memory of 2260	2896	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe	44
PID 2896 wrote to memory of 2468	2896	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe	45
PID 2896 wrote to memory of 2468	2896	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe	45
PID 2896 wrote to memory of 2468	2896	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe	45
PID 2896 wrote to memory of 2468	2896	{C464E2F6-C883-4c79-88E6-8AB210955237}.exe	45

C:\Users\Admin\AppData\Local\Temp\f98077fd0e38c10eb87848962c651410N.exe
"C:\Users\Admin\AppData\Local\Temp\f98077fd0e38c10eb87848962c651410N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe
  C:\Windows\{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe
    C:\Windows\{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe
      C:\Windows\{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe
        
        C:\Windows\{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:276
      - C:\Windows\{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe
        
        C:\Windows\{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe
        
        C:\Windows\{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\{C464E2F6-C883-4c79-88E6-8AB210955237}.exe
        
        C:\Windows\{C464E2F6-C883-4c79-88E6-8AB210955237}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{0B5BF565-DFD6-4671-B1F9-5FE832E147C4}.exe
        
        C:\Windows\{0B5BF565-DFD6-4671-B1F9-5FE832E147C4}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\{65085731-9AA1-4510-AF81-5A462FDA97EC}.exe
        
        C:\Windows\{65085731-9AA1-4510-AF81-5A462FDA97EC}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B5BF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C464E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1023F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A349~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AD56~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8894~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C891E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{22992~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F98077~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AD56A67-AE1F-42ba-8A89-606CD60833CE}.exe

Filesize
89KB

MD5
419780de3438c74ef49e09114e616022

SHA1
74b7ee9ab2f674428507c533c647b94c229e539a

SHA256
03d46fedafb82792d0c7e720edc81515ca04e8991b0b001b95f690207533131e

SHA512
abf8a367bd162defcd0d3eb3fe4764e771061deaacd6a40b9ab1b70bf299a205c7572b6fab962efc7fb0ce8fa6e32327e66cfa43e38078c4b8a096be1f3e117e

Download Submit
C:\Windows\{0B5BF565-DFD6-4671-B1F9-5FE832E147C4}.exe

Filesize
89KB

MD5
a6260ab5596e73f72deec42f05c714f1

SHA1
abd288a215bff00503ddba4ea037c92240192672

SHA256
07fdc6ea7a6db7edb8ef649b29a8737bf7571de0f1da3e893d62baa3dcabcf4c

SHA512
6a9e8e8eaeede3bf6dbea5708f9fad5e5205ccb1d4fec50947c42c5514e5c134f9a1229421178dbb2f013e02ccff967ed4feece780020d4a070b838b30dc6ef6

Download Submit
C:\Windows\{1023F0D2-459B-49d7-9EEC-4DA1D63B172F}.exe

Filesize
89KB

MD5
2ff5f13f421fc78df53b9f482347454b

SHA1
3fd3f509af173ae1fbb54a126c63d11fffcf6966

SHA256
61836be2de41f0e9b51ce83da5faf08e1746012b376f8883d69984094b7c74e7

SHA512
2ecda8e39512b5cab7e4d05a029ba2e37416d5e0e3ebd02a363957dbc5b4d4752a4e5940848115d2abbd393b758adbf879a5b9736cd3450fb38975d9ce538de7

Download Submit
C:\Windows\{2299225B-FC17-4621-A74C-E3F860CDFBB8}.exe

Filesize
89KB

MD5
d739ebdcaf02a6a979820bdea9008a82

SHA1
b2b0179911dac7c69fc0be786024174656dce1da

SHA256
8947a6f97d5bee40117f15a8d1e0d21f809a07c949307b78e1d1bdc8778293d6

SHA512
495edcf7eb9122e568579c6f7d6e37b788e52293f349dc31814f3944aa01a35090cc4ef8c0d86653e9bcbee3328ad3cfe24d7a892da3bdd033c7bdb0b700af5f

Download Submit
C:\Windows\{65085731-9AA1-4510-AF81-5A462FDA97EC}.exe

Filesize
89KB

MD5
b7beee5eae2829c848cc9055a17ab97c

SHA1
8d0bf1a2ef5ee95d0c02db8fdff86f2c7cf9e59f

SHA256
24051f8e397655cf6919ba42d03afd33e1bd9b8e60fcf088763cf25ff26b732d

SHA512
be6730e1b96fa2dfcd0cf5897336808731fe1851da2122e31d9d9d8990ecfb0025a399865f41a1c0eb357adda11209dbc2e4de77d4ce59d8d7b44407e76219fb

Download Submit
C:\Windows\{9A349E07-A5D5-49e4-BFA9-8C8F13CC9088}.exe

Filesize
89KB

MD5
a1f2c9136f0fae4c50fc10c413368673

SHA1
b27b0ab41686c63d6799a63ffdc6450f5c8790ea

SHA256
17dd75401bc84f0edb0e9988caf44f8ac951bea5ae03f097ad214392da043e87

SHA512
a84e29ff8d3b03dc90519994fb032cacda355e99ffdf8e587393f405845a5a3e25e6a99d2419f4444ffefb02ebd0f6681c4ce08ec3829156cd2a706cc00e65d6

Download Submit
C:\Windows\{B8894C17-F365-4f21-9DEE-26DE60D76314}.exe

Filesize
89KB

MD5
8becbb91765b361fccf9f3ab25d2f63b

SHA1
3f0a29b6861a1e59f94b4c30b6d571b61fb30cbf

SHA256
777a7fca5d8a006db0aae2ca5ef2d3ce13d7d0ff7e666e06c08a935b8f1fd47b

SHA512
1dbf014a1e12c6d61749c75a09d7dbe8f6178312186156f030644cb0c4991561cce198871e38e5be9e32e0c0756213795f31d777d975b6a07b1e9c5e8e53bdcf

Download Submit
C:\Windows\{C464E2F6-C883-4c79-88E6-8AB210955237}.exe

Filesize
89KB

MD5
3563a3e4a13307125aa4c027d90332e7

SHA1
9ce0b763382c3a8004b4b812cad432d71f2b99ce

SHA256
dbcb5ddf3db8cb984f632df94a96553f02f2c8dd3dd474b5f58688ee5e8ae07e

SHA512
d87573affc0ccc77c7bfb675947dd728354a2f8ddfc2449ac056a4ea4cf73f816bfa1ad7af40d34a58b04499519684f930392e48f0b290f15bc6766fb8eb8184

Download Submit
C:\Windows\{C891E9F6-EEDA-42b1-8C9E-C423F052830C}.exe

Filesize
89KB

MD5
6b7a0df314e16982e4360d1c00d9e71a

SHA1
46617e43ab3de19983bbf097c1231431c3afe641

SHA256
0a1ed0b827804a152ae00d6a89928d101d98ddd5afb370467fbf5edcc976d2ad

SHA512
2db833f67650d5f435ba80e260c0ca7ce8f27503917cd04c226102306ed163c667cc5638da3a6e0604a04dcbc2eda76ce55ed017f9d2ba83adbe39d5f6dbf843

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads