d7b728f75d7a4063764c80b0456a73d1a2e477fc727575c7d6450c8291c27417

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb06590256be0ac57f30f0e9aaa0a680N.exe
Size

89KB
MD5

cb06590256be0ac57f30f0e9aaa0a680
SHA1

a8362aaa945ff28ed9bc3dd0c1414106447e5221
SHA256

d7b728f75d7a4063764c80b0456a73d1a2e477fc727575c7d6450c8291c27417
SHA512

e3bb0076f653ff9d3d38eaaa6119fa6629e11f5145929b817264b9ce187b556f7103b3118870ea38955a4b63eab5cf28e9f5fb2428daa2e5750d82719b527362
SSDEEP

768:Qvw9816vhKQLroDb4/wQRNrfrunMxVFA3b7glL:YEGh0ofl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26E4F9EA-13F1-4e80-8148-FD096691D4DF}	{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00BC91AD-E30E-46df-A488-C1EAA1384953}\stubpath = "C:\\Windows\\{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe"	{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58E1FE60-0F3E-4f59-BCA1-85D30508CD92}	{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}\stubpath = "C:\\Windows\\{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe"	{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}	{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}\stubpath = "C:\\Windows\\{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe"	{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD354789-C13D-494a-915B-9BBEBB7681E6}	{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD354789-C13D-494a-915B-9BBEBB7681E6}\stubpath = "C:\\Windows\\{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe"	{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}	cb06590256be0ac57f30f0e9aaa0a680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2166A6F2-A19F-46bd-B970-6795E6DCECC6}\stubpath = "C:\\Windows\\{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe"	{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26E4F9EA-13F1-4e80-8148-FD096691D4DF}\stubpath = "C:\\Windows\\{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe"	{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58E1FE60-0F3E-4f59-BCA1-85D30508CD92}\stubpath = "C:\\Windows\\{58E1FE60-0F3E-4f59-BCA1-85D30508CD92}.exe"	{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}\stubpath = "C:\\Windows\\{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe"	cb06590256be0ac57f30f0e9aaa0a680N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2166A6F2-A19F-46bd-B970-6795E6DCECC6}	{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00BC91AD-E30E-46df-A488-C1EAA1384953}	{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}	{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24359C78-DAF9-4127-9D14-C2D00A01AE34}	{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24359C78-DAF9-4127-9D14-C2D00A01AE34}\stubpath = "C:\\Windows\\{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe"	{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe

Executes dropped EXE 9 IoCs

pid	Process
2408	{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe
1856	{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe
2872	{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe
1344	{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe
2896	{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe
4984	{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe
3240	{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe
2004	{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe
3832	{58E1FE60-0F3E-4f59-BCA1-85D30508CD92}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe	cb06590256be0ac57f30f0e9aaa0a680N.exe
File created	C:\Windows\{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe	{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe
File created	C:\Windows\{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe	{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe
File created	C:\Windows\{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe	{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe
File created	C:\Windows\{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe	{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe
File created	C:\Windows\{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe	{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe
File created	C:\Windows\{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe	{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe
File created	C:\Windows\{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe	{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe
File created	C:\Windows\{58E1FE60-0F3E-4f59-BCA1-85D30508CD92}.exe	{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58E1FE60-0F3E-4f59-BCA1-85D30508CD92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb06590256be0ac57f30f0e9aaa0a680N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2952	cb06590256be0ac57f30f0e9aaa0a680N.exe
Token: SeIncBasePriorityPrivilege	2408	{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe
Token: SeIncBasePriorityPrivilege	1856	{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe
Token: SeIncBasePriorityPrivilege	2872	{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe
Token: SeIncBasePriorityPrivilege	1344	{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe
Token: SeIncBasePriorityPrivilege	2896	{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe
Token: SeIncBasePriorityPrivilege	4984	{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe
Token: SeIncBasePriorityPrivilege	3240	{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe
Token: SeIncBasePriorityPrivilege	2004	{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2408	2952	cb06590256be0ac57f30f0e9aaa0a680N.exe	94
PID 2952 wrote to memory of 2408	2952	cb06590256be0ac57f30f0e9aaa0a680N.exe	94
PID 2952 wrote to memory of 2408	2952	cb06590256be0ac57f30f0e9aaa0a680N.exe	94
PID 2952 wrote to memory of 4952	2952	cb06590256be0ac57f30f0e9aaa0a680N.exe	95
PID 2952 wrote to memory of 4952	2952	cb06590256be0ac57f30f0e9aaa0a680N.exe	95
PID 2952 wrote to memory of 4952	2952	cb06590256be0ac57f30f0e9aaa0a680N.exe	95
PID 2408 wrote to memory of 1856	2408	{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe	96
PID 2408 wrote to memory of 1856	2408	{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe	96
PID 2408 wrote to memory of 1856	2408	{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe	96
PID 2408 wrote to memory of 5032	2408	{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe	97
PID 2408 wrote to memory of 5032	2408	{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe	97
PID 2408 wrote to memory of 5032	2408	{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe	97
PID 1856 wrote to memory of 2872	1856	{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe	100
PID 1856 wrote to memory of 2872	1856	{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe	100
PID 1856 wrote to memory of 2872	1856	{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe	100
PID 1856 wrote to memory of 860	1856	{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe	101
PID 1856 wrote to memory of 860	1856	{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe	101
PID 1856 wrote to memory of 860	1856	{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe	101
PID 2872 wrote to memory of 1344	2872	{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe	102
PID 2872 wrote to memory of 1344	2872	{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe	102
PID 2872 wrote to memory of 1344	2872	{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe	102
PID 2872 wrote to memory of 448	2872	{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe	103
PID 2872 wrote to memory of 448	2872	{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe	103
PID 2872 wrote to memory of 448	2872	{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe	103
PID 1344 wrote to memory of 2896	1344	{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe	104
PID 1344 wrote to memory of 2896	1344	{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe	104
PID 1344 wrote to memory of 2896	1344	{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe	104
PID 1344 wrote to memory of 1520	1344	{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe	105
PID 1344 wrote to memory of 1520	1344	{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe	105
PID 1344 wrote to memory of 1520	1344	{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe	105
PID 2896 wrote to memory of 4984	2896	{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe	106
PID 2896 wrote to memory of 4984	2896	{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe	106
PID 2896 wrote to memory of 4984	2896	{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe	106
PID 2896 wrote to memory of 4684	2896	{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe	107
PID 2896 wrote to memory of 4684	2896	{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe	107
PID 2896 wrote to memory of 4684	2896	{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe	107
PID 4984 wrote to memory of 3240	4984	{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe	108
PID 4984 wrote to memory of 3240	4984	{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe	108
PID 4984 wrote to memory of 3240	4984	{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe	108
PID 4984 wrote to memory of 2120	4984	{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe	109
PID 4984 wrote to memory of 2120	4984	{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe	109
PID 4984 wrote to memory of 2120	4984	{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe	109
PID 3240 wrote to memory of 2004	3240	{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe	110
PID 3240 wrote to memory of 2004	3240	{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe	110
PID 3240 wrote to memory of 2004	3240	{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe	110
PID 3240 wrote to memory of 744	3240	{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe	111
PID 3240 wrote to memory of 744	3240	{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe	111
PID 3240 wrote to memory of 744	3240	{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe	111
PID 2004 wrote to memory of 3832	2004	{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe	112
PID 2004 wrote to memory of 3832	2004	{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe	112
PID 2004 wrote to memory of 3832	2004	{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe	112
PID 2004 wrote to memory of 1236	2004	{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe	113
PID 2004 wrote to memory of 1236	2004	{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe	113
PID 2004 wrote to memory of 1236	2004	{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe	113

C:\Users\Admin\AppData\Local\Temp\cb06590256be0ac57f30f0e9aaa0a680N.exe
"C:\Users\Admin\AppData\Local\Temp\cb06590256be0ac57f30f0e9aaa0a680N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe
  C:\Windows\{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe
    C:\Windows\{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe
      C:\Windows\{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe
        
        C:\Windows\{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
      - C:\Windows\{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe
        
        C:\Windows\{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe
        
        C:\Windows\{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe
        
        C:\Windows\{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe
        
        C:\Windows\{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{58E1FE60-0F3E-4f59-BCA1-85D30508CD92}.exe
        
        C:\Windows\{58E1FE60-0F3E-4f59-BCA1-85D30508CD92}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00BC9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26E4F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD354~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2166A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12D4E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24359~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6E8ED~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0B211~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CB0659~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00BC91AD-E30E-46df-A488-C1EAA1384953}.exe

Filesize
89KB

MD5
3abc169d909c6f1d0baee017e4f15675

SHA1
4849197650fa6c897045064064d18fe003393d26

SHA256
ba4dc92a7ee90e85566f912af642f07e4f58e2c1b1ae0ec2e5d0598629a0a94c

SHA512
61b1764e3d8730dcae5df8c20614000b8cfecc78d532c68d0de021f5accc4e4d79196ab40b2cb7b24da99d1fc3f86374cd5e61be051eed51ab417c27dfd3d33c

Download Submit
C:\Windows\{0B211F8C-C2F1-41bd-AD49-DC3B5F364C70}.exe

Filesize
89KB

MD5
7b2c13b851103c8b5b6c621e0bba6937

SHA1
db05cb7c9311e292943e4f6728eee265851b2303

SHA256
46887978bae2de6b605c1510cb806fdc7d915568e56ac8b59e09d5569b37478b

SHA512
8eea57dc3750364a3b5f58217f074fc30b84dc6f1dc50857bdaa1a1bb1a6aaeb32b94b90b4339678bedf403449a50f893652a21e2ef8ebefd7bc9104b931508a

Download Submit
C:\Windows\{12D4E217-CCCE-409d-BB18-05CF19F3F9CB}.exe

Filesize
89KB

MD5
0dce9e94efb78717fcf484b597fc3567

SHA1
407bfd1c5455b528c1171c788edb7afba2964e1c

SHA256
6cfaf7c11c17702aba8a5029206aa91a27a676d3d7a0932f962d8ee0b3178451

SHA512
3a79e2512979dfdea3ba4cd0190695063a394a256c2192d3f7b582a6ac0df6175211794ee60985b2654116dd0beb17fd7620347905dbcfc7548a3c3d506e5075

Download Submit
C:\Windows\{2166A6F2-A19F-46bd-B970-6795E6DCECC6}.exe

Filesize
89KB

MD5
bf61f597e3ca693eca438f528741983e

SHA1
bc8c8d17ce9a9512e52dd6036398e04e44ad5ebf

SHA256
de15f4269141e156622f1d511e6a94327e98a90e37aeb60593418b6f7badc8c5

SHA512
3f07f7227681e9d95ec5e58ea22bb78f57961e9af017d0bdb10a96f33a0e6cf734cdf6ae9b5df51222cfbc26c53140bd8ac5ba1e221f6723ed9909a63b71a2fa

Download Submit
C:\Windows\{24359C78-DAF9-4127-9D14-C2D00A01AE34}.exe

Filesize
89KB

MD5
06ddea5aef59fd01534cf1a5015087bc

SHA1
bc7b677ee9822f35dbded2b2b00971fc6099b61d

SHA256
86ef1bf25779b87c869fdac9fb01c9a53d8be5f85391ab90b7c1bb489e73c9e8

SHA512
adc864ef78a95366fa1b4e75830bb640fbf5681f1b0d9ef0c29beeec86b67bdde11b9213d9e0389c6804b7f21774adfa58a2be4f883bb1668cddfc9e5fdf1b48

Download Submit
C:\Windows\{26E4F9EA-13F1-4e80-8148-FD096691D4DF}.exe

Filesize
89KB

MD5
0ebf221dc38bcf01385e918d02be9aab

SHA1
44758486964c8da18532ec2246d0fc5a8d0ace25

SHA256
f2f9619c7e875ba0be8e90e441eb0845911a9ab962ace6434db82f15406be293

SHA512
b4d6f0f7e43c6c40a5cf1aa4cf66d90c6b24e79b4f9583c4a9ea43cc8e18520bf8b0d5c726aeb957804c2f362e5853aec430f07c709c2519b7409aa667ee284d

Download Submit
C:\Windows\{58E1FE60-0F3E-4f59-BCA1-85D30508CD92}.exe

Filesize
89KB

MD5
60fe099c132ba01f17963985e7bf5f49

SHA1
256aaff4ec28d68d5f9252b0cdf77aed34e72951

SHA256
f9380331f27de758fb72166f7ca2198e12f8a4adc0e6756cd9aefd14f0b718bc

SHA512
fc9d582f27dbb39746b37a8a1277166c6c956a35d27f2b6113c67a3597fa2192561466fd9cb0699fbb386880f7fdeec59aebe5b46d3a96953e2fdd87c22eb651

Download Submit
C:\Windows\{6E8EDAB0-F7BE-4c1b-B7E0-6B2F389C2A3F}.exe

Filesize
89KB

MD5
6bf0d2de324d1d31b524e00608bad210

SHA1
95c3a9aaef966d73d48b8b7a2a2d605cdc5dcbee

SHA256
2cc69cf82c57dbda8e177ec544ebfbc87bdd9e11254eb1695427f0bd432e09d2

SHA512
e4550ed71e41026be4a226e6d0095979d51fbc57dd09cdb7fb33c42b25cfee9047d6e0e9997ae5289dcccbbecb80dc07b9acf22b53adfc681599454626a86da9

Download Submit
C:\Windows\{AD354789-C13D-494a-915B-9BBEBB7681E6}.exe

Filesize
89KB

MD5
fc9ba6159d10c994356c5ecaaf191666

SHA1
497cfa950d922f9610db0769a60ec61aab117b79

SHA256
6b67c2bc2e348ee3d2b0b7a80482d0ef3193e65401aad933fc4cc25f7285df29

SHA512
bdba26078641069d9a1d7e750e87a5e98ebaf480e06813831d8ce7be229d0476875b954e648d5abc68f99ff7af0a3b758c38ee1eafce2e542ed0785c040fdc8a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads