3ef0ac894f1cca93e4fc8eefeb75da6ad8b6af7f1204af96d921d51da865dcaa

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afefab2dea177f8e80adc26712526190N.exe
Size

91KB
MD5

afefab2dea177f8e80adc26712526190
SHA1

1bfdb93e1fa684db303e663416b1654a9117511f
SHA256

3ef0ac894f1cca93e4fc8eefeb75da6ad8b6af7f1204af96d921d51da865dcaa
SHA512

c1c0ebca8ad2d49ca47398d66d70729d7bdd46ec39aa2f139129efb9fc8bc70fda720b278512c9cc5e7dbe740ee1bd117bd0cd62cab36569a22ff4e9a60c83f5
SSDEEP

768:5vw9816uhKiroM4/wQNNrfrunMxVFA3b7t:lEGkmoMlCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}	{7211F226-D85F-4995-8269-C7F951B78641}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}\stubpath = "C:\\Windows\\{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe"	{7211F226-D85F-4995-8269-C7F951B78641}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C65C941-278D-4887-B900-8F9BD84D6AB4}\stubpath = "C:\\Windows\\{2C65C941-278D-4887-B900-8F9BD84D6AB4}.exe"	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7211F226-D85F-4995-8269-C7F951B78641}\stubpath = "C:\\Windows\\{7211F226-D85F-4995-8269-C7F951B78641}.exe"	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8654E9D-A888-462e-8FCE-20A53E9EE253}	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8654E9D-A888-462e-8FCE-20A53E9EE253}\stubpath = "C:\\Windows\\{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe"	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}\stubpath = "C:\\Windows\\{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe"	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECFA3450-603C-4cab-9B16-80E8589CA310}	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECFA3450-603C-4cab-9B16-80E8589CA310}\stubpath = "C:\\Windows\\{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe"	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7211F226-D85F-4995-8269-C7F951B78641}	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}	afefab2dea177f8e80adc26712526190N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA2C9018-9664-4968-B1AE-02203B060DE2}\stubpath = "C:\\Windows\\{BA2C9018-9664-4968-B1AE-02203B060DE2}.exe"	{2C65C941-278D-4887-B900-8F9BD84D6AB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}\stubpath = "C:\\Windows\\{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe"	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C65C941-278D-4887-B900-8F9BD84D6AB4}	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA2C9018-9664-4968-B1AE-02203B060DE2}	{2C65C941-278D-4887-B900-8F9BD84D6AB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}\stubpath = "C:\\Windows\\{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe"	afefab2dea177f8e80adc26712526190N.exe

Deletes itself 1 IoCs

pid	Process
2248	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2448	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe
2744	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe
2712	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe
2608	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe
1808	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe
2424	{7211F226-D85F-4995-8269-C7F951B78641}.exe
1868	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe
2664	{2C65C941-278D-4887-B900-8F9BD84D6AB4}.exe
3060	{BA2C9018-9664-4968-B1AE-02203B060DE2}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe	afefab2dea177f8e80adc26712526190N.exe
File created	C:\Windows\{2C65C941-278D-4887-B900-8F9BD84D6AB4}.exe	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe
File created	C:\Windows\{BA2C9018-9664-4968-B1AE-02203B060DE2}.exe	{2C65C941-278D-4887-B900-8F9BD84D6AB4}.exe
File created	C:\Windows\{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe
File created	C:\Windows\{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe
File created	C:\Windows\{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe
File created	C:\Windows\{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe
File created	C:\Windows\{7211F226-D85F-4995-8269-C7F951B78641}.exe	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe
File created	C:\Windows\{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe	{7211F226-D85F-4995-8269-C7F951B78641}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C65C941-278D-4887-B900-8F9BD84D6AB4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afefab2dea177f8e80adc26712526190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BA2C9018-9664-4968-B1AE-02203B060DE2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7211F226-D85F-4995-8269-C7F951B78641}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2936	afefab2dea177f8e80adc26712526190N.exe
Token: SeIncBasePriorityPrivilege	2448	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe
Token: SeIncBasePriorityPrivilege	2744	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe
Token: SeIncBasePriorityPrivilege	2712	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe
Token: SeIncBasePriorityPrivilege	2608	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe
Token: SeIncBasePriorityPrivilege	1808	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe
Token: SeIncBasePriorityPrivilege	2424	{7211F226-D85F-4995-8269-C7F951B78641}.exe
Token: SeIncBasePriorityPrivilege	1868	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe
Token: SeIncBasePriorityPrivilege	2664	{2C65C941-278D-4887-B900-8F9BD84D6AB4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2448	2936	afefab2dea177f8e80adc26712526190N.exe	31
PID 2936 wrote to memory of 2448	2936	afefab2dea177f8e80adc26712526190N.exe	31
PID 2936 wrote to memory of 2448	2936	afefab2dea177f8e80adc26712526190N.exe	31
PID 2936 wrote to memory of 2448	2936	afefab2dea177f8e80adc26712526190N.exe	31
PID 2936 wrote to memory of 2248	2936	afefab2dea177f8e80adc26712526190N.exe	32
PID 2936 wrote to memory of 2248	2936	afefab2dea177f8e80adc26712526190N.exe	32
PID 2936 wrote to memory of 2248	2936	afefab2dea177f8e80adc26712526190N.exe	32
PID 2936 wrote to memory of 2248	2936	afefab2dea177f8e80adc26712526190N.exe	32
PID 2448 wrote to memory of 2744	2448	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe	33
PID 2448 wrote to memory of 2744	2448	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe	33
PID 2448 wrote to memory of 2744	2448	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe	33
PID 2448 wrote to memory of 2744	2448	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe	33
PID 2448 wrote to memory of 2864	2448	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe	34
PID 2448 wrote to memory of 2864	2448	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe	34
PID 2448 wrote to memory of 2864	2448	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe	34
PID 2448 wrote to memory of 2864	2448	{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe	34
PID 2744 wrote to memory of 2712	2744	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe	35
PID 2744 wrote to memory of 2712	2744	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe	35
PID 2744 wrote to memory of 2712	2744	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe	35
PID 2744 wrote to memory of 2712	2744	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe	35
PID 2744 wrote to memory of 2684	2744	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe	36
PID 2744 wrote to memory of 2684	2744	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe	36
PID 2744 wrote to memory of 2684	2744	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe	36
PID 2744 wrote to memory of 2684	2744	{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe	36
PID 2712 wrote to memory of 2608	2712	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe	37
PID 2712 wrote to memory of 2608	2712	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe	37
PID 2712 wrote to memory of 2608	2712	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe	37
PID 2712 wrote to memory of 2608	2712	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe	37
PID 2712 wrote to memory of 2668	2712	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe	38
PID 2712 wrote to memory of 2668	2712	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe	38
PID 2712 wrote to memory of 2668	2712	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe	38
PID 2712 wrote to memory of 2668	2712	{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe	38
PID 2608 wrote to memory of 1808	2608	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe	39
PID 2608 wrote to memory of 1808	2608	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe	39
PID 2608 wrote to memory of 1808	2608	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe	39
PID 2608 wrote to memory of 1808	2608	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe	39
PID 2608 wrote to memory of 1484	2608	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe	40
PID 2608 wrote to memory of 1484	2608	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe	40
PID 2608 wrote to memory of 1484	2608	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe	40
PID 2608 wrote to memory of 1484	2608	{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe	40
PID 1808 wrote to memory of 2424	1808	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe	41
PID 1808 wrote to memory of 2424	1808	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe	41
PID 1808 wrote to memory of 2424	1808	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe	41
PID 1808 wrote to memory of 2424	1808	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe	41
PID 1808 wrote to memory of 1584	1808	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe	42
PID 1808 wrote to memory of 1584	1808	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe	42
PID 1808 wrote to memory of 1584	1808	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe	42
PID 1808 wrote to memory of 1584	1808	{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe	42
PID 2424 wrote to memory of 1868	2424	{7211F226-D85F-4995-8269-C7F951B78641}.exe	43
PID 2424 wrote to memory of 1868	2424	{7211F226-D85F-4995-8269-C7F951B78641}.exe	43
PID 2424 wrote to memory of 1868	2424	{7211F226-D85F-4995-8269-C7F951B78641}.exe	43
PID 2424 wrote to memory of 1868	2424	{7211F226-D85F-4995-8269-C7F951B78641}.exe	43
PID 2424 wrote to memory of 1624	2424	{7211F226-D85F-4995-8269-C7F951B78641}.exe	44
PID 2424 wrote to memory of 1624	2424	{7211F226-D85F-4995-8269-C7F951B78641}.exe	44
PID 2424 wrote to memory of 1624	2424	{7211F226-D85F-4995-8269-C7F951B78641}.exe	44
PID 2424 wrote to memory of 1624	2424	{7211F226-D85F-4995-8269-C7F951B78641}.exe	44
PID 1868 wrote to memory of 2664	1868	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe	45
PID 1868 wrote to memory of 2664	1868	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe	45
PID 1868 wrote to memory of 2664	1868	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe	45
PID 1868 wrote to memory of 2664	1868	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe	45
PID 1868 wrote to memory of 2312	1868	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe	46
PID 1868 wrote to memory of 2312	1868	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe	46
PID 1868 wrote to memory of 2312	1868	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe	46
PID 1868 wrote to memory of 2312	1868	{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe	46

C:\Users\Admin\AppData\Local\Temp\afefab2dea177f8e80adc26712526190N.exe
"C:\Users\Admin\AppData\Local\Temp\afefab2dea177f8e80adc26712526190N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe
  C:\Windows\{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe
    C:\Windows\{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe
      C:\Windows\{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe
        
        C:\Windows\{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe
        
        C:\Windows\{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{7211F226-D85F-4995-8269-C7F951B78641}.exe
        
        C:\Windows\{7211F226-D85F-4995-8269-C7F951B78641}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe
        
        C:\Windows\{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{2C65C941-278D-4887-B900-8F9BD84D6AB4}.exe
        
        C:\Windows\{2C65C941-278D-4887-B900-8F9BD84D6AB4}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\{BA2C9018-9664-4968-B1AE-02203B060DE2}.exe
        
        C:\Windows\{BA2C9018-9664-4968-B1AE-02203B060DE2}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C65C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43D0E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7211F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A101~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECFA3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4597~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F8654~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{86A7E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AFEFAB~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2C65C941-278D-4887-B900-8F9BD84D6AB4}.exe

Filesize
91KB

MD5
7044b3b907bb1245ca5cc7c5cef5034b

SHA1
535cb3500af82c9a9e40a4148b350a90af747bb4

SHA256
6a02bdcb03a8dbaac4d051ce4b9d071f7c9cd195c512834e85f8a19394cc3961

SHA512
4ccf9eb475b5553f72989e1c2d13792ae7519d071d948678378866dc024f3cdc0c15e02de5dc552276b65b99b8407b760ef169ca9c2cf5129cb21eb91f79d12f

Download Submit
C:\Windows\{43D0E040-6596-4ac9-BF2E-FCBFAF5373E1}.exe

Filesize
91KB

MD5
a60575a11493283805b3f597e69f13bf

SHA1
17fcae4a16cf376f0d87518536544bf6801b3fd6

SHA256
f0b5bf7eaa0f2b4c5f56d9bb83a7a3a25a4e63de601fd336d5c8223a79e01450

SHA512
e8f36ec26a42c5be110831d5ddc857360a50e014c9386ad45d45fb514c42bcc006c5cacbf80bd449732196c7efe4d1668f2fef927575356b3e750bafc46087b3

Download Submit
C:\Windows\{4A1010BA-CC3C-4ef3-ABCE-3E86AB4D3AEC}.exe

Filesize
91KB

MD5
7bc9b03eb936c49b93ebbfe6362aac80

SHA1
245077f275791ac476edcf2a9eda23cee09ac944

SHA256
2f2703a8cfc0272d76c1bddb5e8c6226eeac58b1cdb122e6d62b8f890e7b9d46

SHA512
debbcc25fde4a274c04651cc2f004df1f0065b69b2de7ea98233eb908e714d4a06dee52f9763ee20e4788013fc07ffded7f9cc068eccd25de602be8c547c44ee

Download Submit
C:\Windows\{7211F226-D85F-4995-8269-C7F951B78641}.exe

Filesize
91KB

MD5
5d8f08f83a0b834cd0367c44271fef7a

SHA1
f76d8848c87a3b6268c5de68eafd23c87f06e68e

SHA256
de02a491413110b9c5bc1f269763e7686580c8b15c32f6be5ca0e9ad60b49175

SHA512
ecc394aecba7fd1c0826aab522021c1e7bf411669af0428f631b8b5195911a952a26ac6bec815355b9610264a1a7f4fddf37504e5619a494992f357ef08c463e

Download Submit
C:\Windows\{86A7EBB1-2019-46b0-8596-DE7BF1C1D8F0}.exe

Filesize
91KB

MD5
d9f050a0c2fc23ca6b5b9e7901e911d4

SHA1
bd3bce3f49e9b849460a8dfa42dd6afc15111538

SHA256
f6ccea9f61d54e3c75e6b77ca8f0485c58a8f25c4535c2c9ac47a5332523652a

SHA512
7f5f954f9a20cbbf50d1d206f27f4f2382904659c1a9f94cc40f80537aebb8e5e735eda79ee9ddcfb2ad388554dbfd3c86ff60f7d165b107b4f8092ca0b54d1b

Download Submit
C:\Windows\{BA2C9018-9664-4968-B1AE-02203B060DE2}.exe

Filesize
91KB

MD5
b676bb4fcbb842ac7103e837e3c25977

SHA1
8be90ca76c3a205624853467eb368ce96a4f93ee

SHA256
517f03fcf413b1bf12b6c81b89973134677803e721ce88c48c3ce246935b90a9

SHA512
999fda500e979b1f71ff2f31f21114133fee384f43acbb1ad4a7bb52a36ff0d0c37dc5f013ffe3eaa44697c3fa33e71c73adece74ebb7ecd76a44242b8c8b195

Download Submit
C:\Windows\{ECFA3450-603C-4cab-9B16-80E8589CA310}.exe

Filesize
91KB

MD5
2d85047e78faaf4fdccc9d3b014e76c9

SHA1
d5412997a4dd6b8cda70e54fad0768bda9366942

SHA256
70e3bc1a524d2f4efe50f85661cdae0b9c65e236c712f181b73a8442c33df463

SHA512
c6e246b38ac360823024e325b8ec3cc22b74b121ee2f6a193d48b9712644014c2b359b8f310b41cc77b2e8d849a07c73ec4574861b520f043784a6c6bcdf9b33

Download Submit
C:\Windows\{F4597D78-D4E0-43a1-98FD-09DD0C8F36C2}.exe

Filesize
91KB

MD5
03f24dd9f75bf30788e1d6e9211c7bc2

SHA1
72dceadf8a510388a6d7ffbe79fcb7e10f7962cb

SHA256
07ae0c09693f0d92e17c52134e80de2be837188e504e060692d9af237b43fe70

SHA512
e06c8503bdad22048183f696dd37b2bea34a46997b82bdf7fc4d3e42b5e9a3770c24e9c823697ef3fffc98ff024abd95f318a4a1bf9f38f9dac427a7a980d11e

Download Submit
C:\Windows\{F8654E9D-A888-462e-8FCE-20A53E9EE253}.exe

Filesize
91KB

MD5
11974ef429002c2bdbf37e595620f331

SHA1
6119efec561d1b44370d54da30c941eecc4d0a0e

SHA256
3aa2507a3adde8c4b8b531ef37994214172f2077a1b2b5ba2963aab604d13308

SHA512
f4b8bea7c75eadc0be1ca9d6d4b03c3efdd33988a1203349cf77eaa7825808262e18013ab99b780b92ac350ad04859a9db328aa1b4a8b5fa8c1f4464aec19638

Download Submit
memory/1808-55-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/1808-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1808-59-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/1868-79-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/1868-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1868-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2424-69-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/2424-68-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/2424-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2448-13-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2448-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-46-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/2608-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2664-84-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2664-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2712-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2712-42-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2712-39-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2712-37-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2712-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2744-26-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2744-27-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2744-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2744-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2936-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2936-3-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2936-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2936-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads